New-DJBDNS 1.06

Hello..!!!

I’m extremely happy to announce, the release 1.06 of the New-DJBDNS is now available for general usage. New updates are pushed to Fedora repositories and shall soon be available via stable channels. It’s a landmark 10’th release of the project. 🙂

        See -> http://pjp.dgplug.org/ndjbdns/

A major highlight of this release is the couple of security fixes for potential Denial of Service (DoS) flaws. One happens by a subtle hash collision attack, while the other is a result of excessive read(2) calls. It is highly recommended to upgrade your set-up to use 1.06 release. Nevertheless, CVE requests for these vulnerabilities were rejected on non-technical grounds.
See:
        -> http://www.openwall.com/lists/oss-security/2014/02/10/4
        -> http://www.openwall.com/lists/oss-security/2014/02/17/3

Apart from these issues, 1.06 release fixes an important time zone bug(discussed -> here) to account for the Daylight Savings Time(DST) and introduces new command line options to read from non-default configuration file. This will help to run multiple instances of servers with different configuration parameters. Thanks to Francisco M Biete for writing a patch to introduce new options and to Don Ky for reporting the time zone issue.

Another major highlight of this release is an excellent documentation contributed by Satya K. It was the last pending packaging goal set in the early days, now met! 🙂

        See -> http://pjp.dgplug.org/ndjbdns/document.html

If you find a bug or spot anything amiss, please let me know, I’ll fix it. With last of the initial goals met, this release truly marks an important milestone in the evolution of the New-DJBDNS. Many people have contributed, in various ways, to this progress & the growth of New-DJBDNS. I sincerely thank them all for the constant support and encouragement they have offered me. It’s bliss!

Now, it’s time to set new achievable goals. It’s time to define the new possibilities. One of the long-standing inherent drawback of the New-DJDBNS is its inability to communicate over IPv6. In the second spell of its development, I plan to rid New-DJBDNS of this very inability. Apart from this super goal, if you have suggestions, feature requests or patches that you’d like to see merged in New-DJBDNS, I’m all ears, please feel free to write to me.

Thank you! 🙂

Of chroot, time zone and glibc

A N-DJBDNS user reported an issue saying, “Timestamps logged by the DNS servers are off by one hour. Doesn’t N-DJBDNS account for Daylight Savings Time(DST)? Our time changed this week.”

I was puzzled. Because N-DJBDNS servers use system time zone by initialising the TZ environment variable with it. System time zone is identified by a file ‘/etc/localtime’. Often it is a symbolic link pointing to one of the binary data file under ‘/usr/share/zoneinfo/’. Standard <time.h> functions read from this file to perform their operation. Since N-DJBDNS servers are confined to the chroot(2) jail, they can not access ‘/etc/localtime’ and thus have to rely on the
POSIX TZ environment variable for the time zone definition.
See:
        vsftpd: vsf_sysutil_tzset(void) -> ../vsftpd-3.0.2/sysutil.c
        postfix: -> http://www.postfix.org/postconf.5.html (search for “TZ”)

How does one set this TZ variable? The closest I could get was the tzset(3) standard API. Going by its name, one would expect it to set the time zone appropriately, so that applications continue to see correct times. But far from it, the API actually reads TZ variable if it is set or reads ‘/etc/localtime’ when TZ is not set and initialises three public variables:

        extern char *tzname[2];
        extern long timezone;
        extern int daylight;

Of these, ‘tzname’ array stores standard & dst time zone names(ex: EST/EDT), ‘timezone’ stores the standard time offset from UTC(ex: +5:30/-12:00) and ‘daylight’ acts as a boolean variable indicating whether current time zone follows DST rules during any time of the year or not at all. tzset(3) manual says ‘daylight’ has been obsolete for many years. Thus is not useful. A saving grace for the tzset(3) API is that its manual is quite elaborate about 3 formats of the TZ variable.

N-DJBDNS was using the standard time zone name from ‘tzname[2]’ array and standard time offset from ‘timezone’ variable to define the TZ environment variable in its “std offset” format as IST+5:30 OR NZST-12:00 etc. This is where the bug lies, TZ definition does not account for DST time changes.

But there is no standard method to appropriately define the TZ variable so that it accounts for Daylight Savings Time, as and when it is applicable. I discussed this issue with the upstream glibc developers. They also agreed that it’ll help to have an API to query system time zone definition. As per the discussion, three bugs have been filed against glibc, including an RFE for a new time zone API.

        BZ#1077902 -> [RFE] A new API to query time zone data from the tzdata files.
        BZ#1077377 -> tzset(3) incorrectly sets the ‘int daylight’ variable.
        BZ#1076794 -> tzset(3) incorrectly sets tzname[1] DST time zone name.

A basic patch too has been submitted for the new time zone API. If you are interested in contributing to glibc, please join the discussion at #glibc on irc.freenode.net and libc-help mailing list. These bugs are classic low hanging fruits for someone to start with. 🙂

Btw, the N-DJBDNS issue is fixed here -> d77a7d6dd1a2.