Index | Thread | Search

From:
Otto Moerbeek <otto@drijf.net>
Subject:
Re: nginx: imrpove compatibiliy with unwind
To:
"Kirill A. Korinsky" <kirill@korins.ky>
Cc:
Robert Nagy <robert@openbsd.org>, ports@openbsd.org
Date:
Sun, 23 Jun 2024 15:43:54 +0200

Download raw body.

Thread 
On Sun, Jun 23, 2024 at 01:56:41AM +0100, Kirill A. Korinsky wrote:

> Greetings,
> 
> I just realized that I forgot to add maintainer.
> 
> So, I fix it.
> 
> BTW the patch were accepted to freenginy:
> https://freenginx.org/hg/nginx/rev/ea0eef2dd12c
> 
> ports@
> 
> Here a trivial patch which improves compatibility with unwind.
> 
> I'm using the following unwind.config:
> 
>     preference { recursor oDoT-autoconf }
> 
>     forwarder { 172.31.2.1 }
> 
>     force accept bogus forwarder {
>       some.internal.domain
>     }
> 
> where 172.31.2.1 is Unifi GW and nginx is configured as:
> 
>     server {
>         listen                              127.0.0.1:80;
> 
>         resolver                            127.0.0.1;
> 
>         set $nas_uri                        "http://nas.some.internal.domain";
> 
>         location / {
>                 proxy_pass                  $nas_uri;
>         }
>     }
> 
> it can't be used due errors in log:
> 
>     2024/06/15 11:53:55 [error] 30452#0: invalid UDP DNS response 49184 fl:81A0
>     2024/06/15 11:54:00 [error] 30452#0: invalid UDP DNS response 30883 fl:81A0
>     2024/06/15 11:54:00 [error] 30452#0: invalid UDP DNS response 49184 fl:81A0
>     2024/06/15 11:54:05 [error] 30452#0: invalid UDP DNS response 30883 fl:81A0
> 
> because nginx rejects response with enabled AD bit.

It is possible to argue that it is correct in doing so, *if* it
didn't set the AD flag in the request.

See https://www.rfc-editor.org/rfc/rfc6840#section-5.8

So a question is: what did the request look like?

I must say that the RFC using SHOULD here does not help a lot. 

	-Otto

> 
> So, here the diff to include a patch that allows it. This patch was sent to
> both nginx and freenginx upstreams.
> 
> diff --git www/nginx/Makefile www/nginx/Makefile
> index e0ed50751ed..2051bc152b3 100644
> --- www/nginx/Makefile
> +++ www/nginx/Makefile
> @@ -21,7 +21,7 @@ COMMENT-securelink=	nginx HMAC secure link module
>  VERSION=	1.26.1
>  DISTNAME=	nginx-${VERSION}
>  CATEGORIES=	www
> -REVISION-main=	0
> +REVISION-main=	1
>  
>  VERSION-njs=	0.8.2
>  VERSION-rtmp=	1.2.1
> diff --git www/nginx/patches/patch-src_core_ngx_resolver_c www/nginx/patches/patch-src_core_ngx_resolver_c
> new file mode 100644
> index 00000000000..b07cea4cc97
> --- /dev/null
> +++ www/nginx/patches/patch-src_core_ngx_resolver_c
> @@ -0,0 +1,12 @@
> +Index: src/core/ngx_resolver.c
> +--- src/core/ngx_resolver.c.orig
> ++++ src/core/ngx_resolver.c
> +@@ -1774,7 +1774,7 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_cha
> +                    (response->nar_hi << 8) + response->nar_lo);
> + 
> +     /* response to a standard query */
> +-    if ((flags & 0xf870) != 0x8000 || (trunc && tcp)) {
> ++    if ((flags & 0xf850) != 0x8000 || (trunc && tcp)) {
> +         ngx_log_error(r->log_level, r->log, 0,
> +                       "invalid %s DNS response %ui fl:%04Xi",
> +                       tcp ? "TCP" : "UDP", ident, flags);
> 
> 
> -- 
> wbr, Kirill
>