Commit c631ff56 authored by Mark Andrews's avatar Mark Andrews
Browse files

Updated CHANGES note to include require-server-cookie:

4152.   [func]          Implement DNS COOKIE option.  This replaces the
                        experimental SIT option of BIND 9.10.  The following
                        named.conf directives are available: send-cookie,
                        cookie-secret, cookie-algorithm, nocookie-udp-size
                        and require-server-cookie.  The following dig options
                        are available: +[no]cookie[=value] and +[no]badcookie.
                        [RT #39928]
parent 7c0f238c
......@@ -73,9 +73,10 @@
4152. [func] Implement DNS COOKIE option. This replaces the
experimental SIT option of BIND 9.10. The following
named.conf directives are available: send-cookie,
cookie-secret, cookie-algorithm and nocookie-udp-size.
The following dig options are available:
+[no]cookie[=value] and +[no]badcookie. [RT #39928]
cookie-secret, cookie-algorithm, nocookie-udp-size
and require-server-cookie. The following dig options
are available: +[no]cookie[=value] and +[no]badcookie.
[RT #39928]
4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
......
......@@ -183,6 +183,7 @@ options {\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
fetches-per-server 0;\n\
require-server-cookie no;\n\
"
#ifdef HAVE_GEOIP
"\
......
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
......@@ -133,7 +133,7 @@ server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable>
<title>TRUSTED-KEYS</title>
<literallayout>
trusted-keys {
<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
};
</literallayout>
</refsect1>
......@@ -142,7 +142,7 @@ trusted-keys {
<title>MANAGED-KEYS</title>
<literallayout>
managed-keys {
<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
};
</literallayout>
</refsect1>
......@@ -300,9 +300,9 @@ options {
dns64-server <replaceable>string</replaceable>;
dns64-contact <replaceable>string</replaceable>;
dns64 <replaceable>prefix</replaceable> {
clients { <replacable>acl</replacable>; };
exclude { <replacable>acl</replacable>; };
mapped { <replacable>acl</replacable>; };
clients { <replaceable>acl</replaceable>; };
exclude { <replaceable>acl</replaceable>; };
mapped { <replaceable>acl</replaceable>; };
break-dnssec <replaceable>boolean</replaceable>;
recursive-only <replaceable>boolean</replaceable>;
suffix <replaceable>ipv6_address</replaceable>;
......@@ -378,6 +378,13 @@ options {
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
cookie-algorithm ( <replaceable>aes</replaceable> | <replaceable>sha1</replaceable> | <replaceable>sha256</replaceable> );
cookie-secret <replaceable>string</replaceable>;
require-server-cookie <replaceable>boolean</replaceable>;
send-cookie <replaceable>boolean</replaceable>;
nocookie-udp-size <replaceable>integer</replaceable>;
deny-answer-addresses {
<replaceable>address_match_list</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
......@@ -489,9 +496,9 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
dns64-server <replaceable>string</replaceable>;
dns64-contact <replaceable>string</replaceable>;
dns64 <replaceable>prefix</replaceable> {
clients { <replacable>acl</replacable>; };
exclude { <replacable>acl</replacable>; };
mapped { <replacable>acl</replacable>; };
clients { <replaceable>acl</replaceable>; };
exclude { <replaceable>acl</replaceable>; };
mapped { <replaceable>acl</replaceable>; };
break-dnssec <replaceable>boolean</replaceable>;
recursive-only <replaceable>boolean</replaceable>;
suffix <replaceable>ipv6_address</replaceable>;
......@@ -561,6 +568,10 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
require-server-cookie <replaceable>boolean</replaceable>;
send-cookie <replaceable>boolean</replaceable>;
nocookie-udp-size <replaceable>integer</replaceable>;
allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
fetch-glue <replaceable>boolean</replaceable>; // obsolete
maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
......@@ -604,7 +615,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
update-policy <replaceable>local</replaceable> | <replaceable> {
( grant | deny ) <replaceable>string</replaceable>
( name | subdomain | wildcard | self | selfsub | selfwild |
krb5-self | ms-self | krb5-subdomain | ms-subdomain |
krb5-self | ms-self | krb5-subdomain | ms-subdomain |
tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
<replaceable>rrtypelist</replaceable>;
<optional>...</optional>
......@@ -676,13 +687,13 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
......
......@@ -6973,7 +6973,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
goto cleanup;
}
}
} else if (!TCP(client) && WANTCOOKIE(client) && !HAVECOOKIE(client)) {
} else if (!TCP(client) && client->view->requireservercookie &&
WANTCOOKIE(client) && !HAVECOOKIE(client)) {
client->message->rcode = dns_rcode_badcookie;
goto cleanup;
}
......
......@@ -3531,6 +3531,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
INSIST(result == ISC_R_SUCCESS);
view->sendcookie = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "require-server-cookie", &obj);
INSIST(result == ISC_R_SUCCESS);
view->requireservercookie = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "max-clients-per-query", &obj);
INSIST(result == ISC_R_SUCCESS);
......
/*
* Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
options {
query-source address 10.53.0.3 dscp 1;
notify-source 10.53.0.3 dscp 2;
transfer-source 10.53.0.3 dscp 3;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }
except-from { "goodcname.example.net";
"gooddname.example.net"; };
allow-query {!10.53.0.8; any; };
send-cookie yes;
nocookie-udp-size 512;
require-server-cookie yes;
};
zone "." {
type hint;
file "root.hint";
};
zone "example" {
type master;
file "example.db";
};
; Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.hint,v 1.7 2007/06/19 23:47:05 tbox Exp $
$TTL 999999
. IN NS a.root-servers.nil.
a.root-servers.nil. IN A 10.53.0.2
......@@ -113,5 +113,26 @@ grep "10.53.0.2.*\[cookie=" ns1/named_dump.db > /dev/null|| ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking require-server-cookie default (no) ($n)"
ret=0
$DIG +qr +cookie +nobadcookie soa @10.53.0.1 -p 5300 > dig.out.test$n
grep BADCOOKIE dig.out.test$n > /dev/null && ret=1
linecount=`getcookie dig.out.test$n | wc -l`
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking require-server-cookie yes ($n)"
ret=0
$DIG +qr +cookie +nobadcookie soa @10.53.0.3 -p 5300 > dig.out.test$n
grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
linecount=`getcookie dig.out.test$n | wc -l`
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
......@@ -4807,6 +4807,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
<optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
<optional> send-cookie <replaceable>yes_or_no</replaceable>; </optional>
<optional> require-server-cookie <replaceable>yes_or_no</replaceable>; </optional>
<optional> cookie-algorithm <replaceable>secret_string</replaceable>; </optional>
<optional> cookie-secret <replaceable>secret_string</replaceable>; </optional>
<optional> request-nsid <replaceable>yes_or_no</replaceable>; </optional>
......@@ -6464,12 +6465,22 @@ options {
</varlistentry>
<varlistentry>
<term><command>request-sit</command></term>
<term><command>request-sit</command></term>
<para>
This experimental option is obsolete.
</para>
</varlistentry>
<varlistentry>
<term><command>require-server-cookie</command></term>
<para>
Require a valid server cookie before sending a full
response to a UDP request from a cookie aware client.
BADCOOKIE is sent if there is a bad or no existent
server cookie.
</para>
</varlistentry>
<varlistentry>
<term><command>send-cookie</command></term>
<listitem>
......@@ -6498,7 +6509,7 @@ options {
<listitem>
<para>
This experimental option is obsolete.
</para>
</para>
</listitem>
</varlistentry>
......@@ -8402,16 +8413,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
will not be accepted, and for each incoming request
a previous pending request will also be dropped.
</para>
<para>
A "soft quota" is also set. When this lower
<para>
A "soft quota" is also set. When this lower
quota is exceeded, incoming requests are accepted, but
for each one, a pending request will be dropped.
If <option>recursive-clients</option> is greater than
1000, the soft quota is set to
<option>recursive-clients</option> minus 100;
otherwise it is set to 90% of
<option>recursive-clients</option>.
</para>
If <option>recursive-clients</option> is greater than
1000, the soft quota is set to
<option>recursive-clients</option> minus 100;
otherwise it is set to 90% of
<option>recursive-clients</option>.
</para>
</listitem>
</varlistentry>
......@@ -8520,13 +8531,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<listitem>
<para>
The maximum number of simultaneous iterative
queries that the server will allow to be sent to
a single upstream name server before blocking
additional queries.
queries that the server will allow to be sent to
a single upstream name server before blocking
additional queries.
This value should reflect how many fetches would
normally be sent to any one server in the time it
would take to resolve them. It should be smaller
than <option>recursive-clients</option>.
than <option>recursive-clients</option>.
</para>
<para>
Optionally, this value may be followed by the keyword
......@@ -11191,7 +11202,7 @@ example.com CNAME rpz-tcp-only.
>http://127.0.0.1:8888/json/v1/tasks</ulink>
(task manager statistics), and
<ulink url="http://127.0.0.1:8888/json/v1/traffic"
>http://127.0.0.1:8888/json/v1/traffic</ulink>
>http://127.0.0.1:8888/json/v1/traffic</ulink>
(traffic sizes).
</para>
</sect2>
......
......@@ -50,7 +50,7 @@
when parsing certain malformed DNSSEC keys.
</para>
<para>
This flaw was discovered by Hanno B&ouml;ck of the Fuzzing
This flaw was discovered by Hanno B&#x96;ck of the Fuzzing
Project, and is disclosed in CVE-2015-5722. [RT #40212]
</para>
</listitem>
......@@ -564,21 +564,23 @@
<listitem>
<para>
The experimental SIT option (code point 65001) of BIND
9.10.0 through BIND 9.10.2 has be replace the COOKIE
option (code point 10) and is no longer experimental and
is sent by default.
9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
option (code point 10). It is no longer experimental, and
is sent by default, by both <command>named</command> and
<command>dig</command>.
</para>
<para>
The SIT related named.conf options have been marked as
obsolete and are otherwise ignored.
The SIT-related named.conf options have been marked as
obsolete, and are otherwise ignored.
</para>
</listitem>
<listitem>
<para>
When retrying a query via TCP due to the first answer
being truncated, <command>dig</command> will now correctly
send the Server COOKIE returned by the server in the prior
response. [RT #39047]
When <command>dig</command> receives a truncated (TC=1)
response or a BADCOOKIE response code from a server, it
will automatically retry the query using the server COOKIE
that was returned by the server in its initial response.
[RT #39047]
</para>
</listitem>
<listitem>
......
......@@ -127,6 +127,7 @@ struct dns_view {
isc_boolean_t enablednssec;
isc_boolean_t enablevalidation;
isc_boolean_t acceptexpired;
isc_boolean_t requireservercookie;
dns_transfer_format_t transfer_format;
dns_acl_t * cacheacl;
dns_acl_t * cacheonacl;
......
......@@ -234,6 +234,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
dns_fixedname_init(&view->redirectfixed);
view->requestnsid = ISC_FALSE;
view->sendcookie = ISC_TRUE;
view->requireservercookie = ISC_FALSE;
view->new_zone_file = NULL;
view->new_zone_config = NULL;
view->cfg_destroy = NULL;
......
......@@ -1602,6 +1602,7 @@ view_clauses[] = {
{ "recursion", &cfg_type_boolean, 0 },
{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "request-nsid", &cfg_type_boolean, 0 },
{ "require-server-cookie", &cfg_type_boolean, 0 },
{ "resolver-query-timeout", &cfg_type_uint32, 0 },
{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
{ "root-delegation-only", &cfg_type_optional_exclude, 0 },
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment