Commit 2f10df80 authored by Mark Andrews's avatar Mark Andrews

Merge branch '173-option-to-disable-responding-with-cookies-isc-support-12614-v9_11' into 'v9_11'

Resolve "option to disable responding with cookies [ISC-Support #12614]"

See merge request !154
parents f5ae506b ae0f6f20
Pipeline #2261 passed with stages
in 6 minutes and 4 seconds
4966. [func] Add the ability to not return a DNS COOKIE option
when one is present in the request (answer-cookie no;).
[GL #173]
4965. [func] Add support for marking options as deprecated.
[GL #322]
......
......@@ -1912,7 +1912,9 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
/*
* If we have already seen a cookie option skip this cookie option.
*/
if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) {
if ((!ns_g_server->answercookie) ||
(client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0)
{
isc_buffer_forward(buf, (unsigned int)optlen);
return;
}
......
......@@ -47,6 +47,7 @@
/*% default configuration */
static char defaultconf[] = "\
options {\n\
answer-cookie true;\n\
automatic-interface-scan yes;\n\
bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
# blackhole {none;};\n"
......
......@@ -124,6 +124,7 @@ struct ns_server {
unsigned char secret[32]; /*%< Server Cookie Secret */
ns_altsecretlist_t altsecrets;
ns_cookiealg_t cookiealg;
isc_boolean_t answercookie;
dns_dtenv_t *dtenv; /*%< Dnstap environment */
......
......@@ -8327,6 +8327,11 @@ load_configuration(const char *filename, ns_server_t *server,
server->flushonshutdown = ISC_FALSE;
}
obj = NULL;
result = ns_config_get(maps, "answer-cookie", &obj);
INSIST(result == ISC_R_SUCCESS);
server->answercookie = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "cookie-algorithm", &obj);
INSIST(result == ISC_R_SUCCESS);
......@@ -9033,6 +9038,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
server->lockfile = NULL;
server->dtenv = NULL;
server->answercookie = ISC_TRUE;
server->magic = NS_SERVER_MAGIC;
*serverp = server;
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.7 dscp 1;
notify-source 10.53.0.7 dscp 2;
transfer-source 10.53.0.7 dscp 3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
recursion no;
answer-cookie no;
send-cookie yes;
nocookie-udp-size 512;
};
zone "." {
type master;
file "root.db";
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
@ SOA a.root-servers.nil. hostmaster.isc.org. 1 600 600 1200 600
@ NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.2
large.xxx TXT ( large large large large large large large large
large large large large large large large large
large large large large large large large large
large large large large large large large large
large large large large large large large large
large large large large large large large large
large large large large large large large large
large large large large large large large large
large large large large large large large large
large large large large large large large large )
......@@ -19,3 +19,4 @@ copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
......@@ -55,14 +55,23 @@ do
done
n=`expr $n + 1`
echo_i "checking COOKIE token returned to empty COOKIE option ($n)"
echo_i "checking COOKIE token is returned to empty COOKIE option ($n)"
ret=0
$DIG $DIGOPTS +qr +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.1 > dig.out.test$n
grep COOKIE: dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking COOKIE is not returned when answer-cookie is false ($n)"
ret=0
$DIG $DIGOPTS +cookie version.bind txt ch @10.53.0.7 > dig.out.test$n
grep COOKIE: dig.out.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking response size without COOKIE ($n)"
ret=0
......
......@@ -6171,6 +6171,35 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>answer-cookie</command></term>
<listitem>
<para>
When set to the default value of <userinput>yes</userinput>,
COOKIE EDNS options will be sent when applicable in
replies to client queries. If set to
<userinput>no</userinput>, COOKIE EDNS options will not
be sent in replies. This can only be set at the global
options level, not per-view.
</para>
<para>
<command>answer-cookie</command> is only available
as a temporary measure, for use when
<command>named</command> shares an IP address
with other servers that do not yet support DNS
COOKIE. A mismatch between servers on the same
address is not expected to cause operational
problems, but the option to disable COOKIE responses
so that all servers have the same behavior is
provided out of an abundance of caution. DNS COOKIE
is an important security mechanism and should not be
disabled unless absolutely necessary. The
<command>answer-cookie</command> option is obsolete
as of BIND 9.13.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>send-cookie</command></term>
<listitem>
......
......@@ -128,6 +128,26 @@
'root-key-sentinel no;' to named.conf. [GL #37]
</para>
</listitem>
<listitem>
<para>
Add the ability to not return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned
add 'answer-cookie no;' to named.conf. [GL #173]
</para>
<para>
<command>answer-cookie</command> is only available as a
temporary measure, for use when <command>named</command>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the
same address is not expected to cause operational problems,
but the option to disable COOKIE responses so that all
servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security
mechanism and should not be disabled unless absolutely
necessary. The <command>answer-cookie</command> option
is obsolete as of BIND 9.13.
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -1024,6 +1024,7 @@ static cfg_type_t cfg_type_fstrm_model = {
*/
static cfg_clausedef_t
options_clauses[] = {
{ "answer-cookie", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
{ "automatic-interface-scan", &cfg_type_boolean, 0 },
{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
......
......@@ -930,6 +930,8 @@
./bin/tests/system/cookie/ns5/root.hint ZONE 2018
./bin/tests/system/cookie/ns6/named.conf.in CONF-C 2018
./bin/tests/system/cookie/ns6/root.hint ZONE 2018
./bin/tests/system/cookie/ns7/named.conf.in CONF-C 2018
./bin/tests/system/cookie/ns7/root.db ZONE 2018
./bin/tests/system/cookie/setup.sh SH 2018
./bin/tests/system/cookie/tests.sh SH 2014,2015,2016,2017,2018
./bin/tests/system/coverage/01-ksk-inactive/README X 2013,2018
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment