Commit c631ff56 authored by Mark Andrews's avatar Mark Andrews
Browse files

Updated CHANGES note to include require-server-cookie:

4152.   [func]          Implement DNS COOKIE option.  This replaces the
                        experimental SIT option of BIND 9.10.  The following
                        named.conf directives are available: send-cookie,
                        cookie-secret, cookie-algorithm, nocookie-udp-size
                        and require-server-cookie.  The following dig options
                        are available: +[no]cookie[=value] and +[no]badcookie.
                        [RT #39928]
parent 7c0f238c
......@@ -73,9 +73,10 @@
4152. [func] Implement DNS COOKIE option. This replaces the
experimental SIT option of BIND 9.10. The following
named.conf directives are available: send-cookie,
cookie-secret, cookie-algorithm and nocookie-udp-size.
The following dig options are available:
+[no]cookie[=value] and +[no]badcookie. [RT #39928]
cookie-secret, cookie-algorithm, nocookie-udp-size
and require-server-cookie. The following dig options
are available: +[no]cookie[=value] and +[no]badcookie.
[RT #39928]
4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
......
......@@ -183,6 +183,7 @@ options {\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
fetches-per-server 0;\n\
require-server-cookie no;\n\
"
#ifdef HAVE_GEOIP
"\
......
......@@ -300,9 +300,9 @@ options {
dns64-server <replaceable>string</replaceable>;
dns64-contact <replaceable>string</replaceable>;
dns64 <replaceable>prefix</replaceable> {
clients { <replacable>acl</replacable>; };
exclude { <replacable>acl</replacable>; };
mapped { <replacable>acl</replacable>; };
clients { <replaceable>acl</replaceable>; };
exclude { <replaceable>acl</replaceable>; };
mapped { <replaceable>acl</replaceable>; };
break-dnssec <replaceable>boolean</replaceable>;
recursive-only <replaceable>boolean</replaceable>;
suffix <replaceable>ipv6_address</replaceable>;
......@@ -378,6 +378,13 @@ options {
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
cookie-algorithm ( <replaceable>aes</replaceable> | <replaceable>sha1</replaceable> | <replaceable>sha256</replaceable> );
cookie-secret <replaceable>string</replaceable>;
require-server-cookie <replaceable>boolean</replaceable>;
send-cookie <replaceable>boolean</replaceable>;
nocookie-udp-size <replaceable>integer</replaceable>;
deny-answer-addresses {
<replaceable>address_match_list</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
......@@ -489,9 +496,9 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
dns64-server <replaceable>string</replaceable>;
dns64-contact <replaceable>string</replaceable>;
dns64 <replaceable>prefix</replaceable> {
clients { <replacable>acl</replacable>; };
exclude { <replacable>acl</replacable>; };
mapped { <replacable>acl</replacable>; };
clients { <replaceable>acl</replaceable>; };
exclude { <replaceable>acl</replaceable>; };
mapped { <replaceable>acl</replaceable>; };
break-dnssec <replaceable>boolean</replaceable>;
recursive-only <replaceable>boolean</replaceable>;
suffix <replaceable>ipv6_address</replaceable>;
......@@ -561,6 +568,10 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
require-server-cookie <replaceable>boolean</replaceable>;
send-cookie <replaceable>boolean</replaceable>;
nocookie-udp-size <replaceable>integer</replaceable>;
allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
fetch-glue <replaceable>boolean</replaceable>; // obsolete
maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
......
......@@ -6973,7 +6973,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
goto cleanup;
}
}
} else if (!TCP(client) && WANTCOOKIE(client) && !HAVECOOKIE(client)) {
} else if (!TCP(client) && client->view->requireservercookie &&
WANTCOOKIE(client) && !HAVECOOKIE(client)) {
client->message->rcode = dns_rcode_badcookie;
goto cleanup;
}
......
......@@ -3531,6 +3531,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
INSIST(result == ISC_R_SUCCESS);
view->sendcookie = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "require-server-cookie", &obj);
INSIST(result == ISC_R_SUCCESS);
view->requireservercookie = cfg_obj_asboolean(obj);
obj = NULL;
result = ns_config_get(maps, "max-clients-per-query", &obj);
INSIST(result == ISC_R_SUCCESS);
......
/*
* Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
options {
query-source address 10.53.0.3 dscp 1;
notify-source 10.53.0.3 dscp 2;
transfer-source 10.53.0.3 dscp 3;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }
except-from { "goodcname.example.net";
"gooddname.example.net"; };
allow-query {!10.53.0.8; any; };
send-cookie yes;
nocookie-udp-size 512;
require-server-cookie yes;
};
zone "." {
type hint;
file "root.hint";
};
zone "example" {
type master;
file "example.db";
};
; Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.hint,v 1.7 2007/06/19 23:47:05 tbox Exp $
$TTL 999999
. IN NS a.root-servers.nil.
a.root-servers.nil. IN A 10.53.0.2
......@@ -113,5 +113,26 @@ grep "10.53.0.2.*\[cookie=" ns1/named_dump.db > /dev/null|| ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking require-server-cookie default (no) ($n)"
ret=0
$DIG +qr +cookie +nobadcookie soa @10.53.0.1 -p 5300 > dig.out.test$n
grep BADCOOKIE dig.out.test$n > /dev/null && ret=1
linecount=`getcookie dig.out.test$n | wc -l`
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking require-server-cookie yes ($n)"
ret=0
$DIG +qr +cookie +nobadcookie soa @10.53.0.3 -p 5300 > dig.out.test$n
grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
linecount=`getcookie dig.out.test$n | wc -l`
if [ $linecount != 2 ]; then ret=1; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
......@@ -4807,6 +4807,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
<optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
<optional> send-cookie <replaceable>yes_or_no</replaceable>; </optional>
<optional> require-server-cookie <replaceable>yes_or_no</replaceable>; </optional>
<optional> cookie-algorithm <replaceable>secret_string</replaceable>; </optional>
<optional> cookie-secret <replaceable>secret_string</replaceable>; </optional>
<optional> request-nsid <replaceable>yes_or_no</replaceable>; </optional>
......@@ -6470,6 +6471,16 @@ options {
</para>
</varlistentry>
 
<varlistentry>
<term><command>require-server-cookie</command></term>
<para>
Require a valid server cookie before sending a full
response to a UDP request from a cookie aware client.
BADCOOKIE is sent if there is a bad or no existent
server cookie.
</para>
</varlistentry>
<varlistentry>
<term><command>send-cookie</command></term>
<listitem>
......
......@@ -50,7 +50,7 @@
when parsing certain malformed DNSSEC keys.
</para>
<para>
This flaw was discovered by Hanno B&ouml;ck of the Fuzzing
This flaw was discovered by Hanno B&#x96;ck of the Fuzzing
Project, and is disclosed in CVE-2015-5722. [RT #40212]
</para>
</listitem>
......@@ -564,21 +564,23 @@
<listitem>
<para>
The experimental SIT option (code point 65001) of BIND
9.10.0 through BIND 9.10.2 has be replace the COOKIE
option (code point 10) and is no longer experimental and
is sent by default.
9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
option (code point 10). It is no longer experimental, and
is sent by default, by both <command>named</command> and
<command>dig</command>.
</para>
<para>
The SIT related named.conf options have been marked as
obsolete and are otherwise ignored.
The SIT-related named.conf options have been marked as
obsolete, and are otherwise ignored.
</para>
</listitem>
<listitem>
<para>
When retrying a query via TCP due to the first answer
being truncated, <command>dig</command> will now correctly
send the Server COOKIE returned by the server in the prior
response. [RT #39047]
When <command>dig</command> receives a truncated (TC=1)
response or a BADCOOKIE response code from a server, it
will automatically retry the query using the server COOKIE
that was returned by the server in its initial response.
[RT #39047]
</para>
</listitem>
<listitem>
......
......@@ -127,6 +127,7 @@ struct dns_view {
isc_boolean_t enablednssec;
isc_boolean_t enablevalidation;
isc_boolean_t acceptexpired;
isc_boolean_t requireservercookie;
dns_transfer_format_t transfer_format;
dns_acl_t * cacheacl;
dns_acl_t * cacheonacl;
......
......@@ -234,6 +234,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
dns_fixedname_init(&view->redirectfixed);
view->requestnsid = ISC_FALSE;
view->sendcookie = ISC_TRUE;
view->requireservercookie = ISC_FALSE;
view->new_zone_file = NULL;
view->new_zone_config = NULL;
view->cfg_destroy = NULL;
......
......@@ -1602,6 +1602,7 @@ view_clauses[] = {
{ "recursion", &cfg_type_boolean, 0 },
{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "request-nsid", &cfg_type_boolean, 0 },
{ "require-server-cookie", &cfg_type_boolean, 0 },
{ "resolver-query-timeout", &cfg_type_uint32, 0 },
{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
{ "root-delegation-only", &cfg_type_optional_exclude, 0 },
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment