Commit a6887424 authored by Ondřej Surý's avatar Ondřej Surý Committed by Evan Hunt

Un-deprecate the answer-cookie option

parent 19f4d840
Pipeline #2657 passed with stages
in 6 minutes and 8 seconds
4983. [cleanup] Remove the deprecated flag from "answer-cookie";
it will be allowed to persist into 9.13. [GL #275].
4982. [cleanup] Return FORMERR if the question section is empty
and no COOKIE option is present; this restores
older behavior except in the newly specified
......
......@@ -6183,19 +6183,16 @@ options {
options level, not per-view.
</para>
<para>
<command>answer-cookie</command> is only available
as a temporary measure, for use when
<command>named</command> shares an IP address
with other servers that do not yet support DNS
COOKIE. A mismatch between servers on the same
address is not expected to cause operational
problems, but the option to disable COOKIE responses
so that all servers have the same behavior is
provided out of an abundance of caution. DNS COOKIE
is an important security mechanism and should not be
disabled unless absolutely necessary. The
<command>answer-cookie</command> option is obsolete
as of BIND 9.13.
<command>answer-cookie no</command> is only intended as a
temporary measure, for use when <command>named</command>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the
same address is not expected to cause operational
problems, but the option to disable COOKIE responses so
that all servers have the same behavior is provided out
of an abundance of caution. DNS COOKIE is an important
security mechanism, and should not be disabled unless
absolutely necessary.
</para>
</listitem>
</varlistentry>
......
......@@ -118,8 +118,7 @@
servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security
mechanism and should not be disabled unless absolutely
necessary. The <command>answer-cookie</command> option
is obsolete as of BIND 9.13.
necessary.
</para>
</listitem>
</itemizedlist>
......@@ -135,6 +134,26 @@
using (now obsolete) idnkit-1 library.
</para>
</listitem>
<listitem>
<para>
Add the ability to not return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned
add <command>answer-cookie no;</command> to
<filename>named.conf</filename>. [GL #173]
</para>
<para>
<command>answer-cookie no</command> is only intended as a
temporary measure, for use when <command>named</command>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the
same address is not expected to cause operational problems,
but the option to disable COOKIE responses so that all
servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security
mechanism, and should not be disabled unless absolutely
necessary.
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -1024,7 +1024,7 @@ static cfg_type_t cfg_type_fstrm_model = {
*/
static cfg_clausedef_t
options_clauses[] = {
{ "answer-cookie", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
{ "answer-cookie", &cfg_type_boolean, 0 },
{ "automatic-interface-scan", &cfg_type_boolean, 0 },
{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment