Commit dd2b1003 authored by Mark Andrews's avatar Mark Andrews
Browse files

Add server clause require-cookie

Specifies if an UDP response requires a DNS COOKIE or not.
Fallback to TCP if not present and not TSIG signed.
parent 3d7a0e7a
Pipeline #57921 failed with stages
in 18 minutes and 14 seconds
5537. [func] You can now specify if a server must return a DNS
COOKIE before accepting the response. [GL #2295]
server <prefix> { require-cookie <yes_or_no>; };
5539. [bug] Tighten handling of missing DNS COOKIE responses over
UDP by falling back to TCP. [GL #2275]
 
......
......@@ -486,6 +486,7 @@ SERVER
request-expire boolean;
request-ixfr boolean;
request-nsid boolean;
require-cookie boolean;
send-cookie boolean;
tcp-keepalive boolean;
tcp-only boolean;
......@@ -781,6 +782,7 @@ VIEW
request-expire boolean;
request-ixfr boolean;
request-nsid boolean;
require-cookie boolean;
send-cookie boolean;
tcp-keepalive boolean;
tcp-only boolean;
......
......@@ -1473,6 +1473,12 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
CHECK(dns_peer_setsendcookie(peer, cfg_obj_asboolean(obj)));
}
obj = NULL;
(void)cfg_map_get(cpeer, "require-cookie", &obj);
if (obj != NULL) {
CHECK(dns_peer_setrequirecookie(peer, cfg_obj_asboolean(obj)));
}
obj = NULL;
(void)cfg_map_get(cpeer, "edns", &obj);
if (obj != NULL) {
......
......@@ -4528,6 +4528,10 @@ The ``request-nsid`` clause determines whether the local server adds
an NSID EDNS option to requests sent to the server. This overrides
``request-nsid`` set at the view or option level.
The ``require-cookie`` clause determines if the server accepts a UDP
response without a DNS COOKIE. If an DNS COOKIE is missing from the
response the server will retry the request over TCP.
The ``send-cookie`` clause determines whether the local server adds
a COOKIE EDNS option to requests sent to the server. This overrides
``send-cookie`` set at the view or option level. The ``named`` server
......
......@@ -444,6 +444,7 @@ server <netprefix> {
request-ixfr <boolean>;
request-nsid <boolean>;
request-sit <boolean>; // obsolete
require-cookie <boolean>;
send-cookie <boolean>;
support-ixfr <boolean>; // obsolete
tcp-keepalive <boolean>;
......@@ -741,6 +742,7 @@ view <string> [ <class> ] {
request-ixfr <boolean>;
request-nsid <boolean>;
request-sit <boolean>; // obsolete
require-cookie <boolean>;
send-cookie <boolean>;
support-ixfr <boolean>; // obsolete
tcp-keepalive <boolean>;
......
......@@ -399,6 +399,7 @@ server <netprefix> {
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
require-cookie <boolean>;
send-cookie <boolean>;
tcp-keepalive <boolean>;
tcp-only <boolean>;
......@@ -670,6 +671,7 @@ view <string> [ <class> ] {
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
require-cookie <boolean>;
send-cookie <boolean>;
tcp-keepalive <boolean>;
tcp-only <boolean>;
......
......@@ -22,6 +22,7 @@
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
require-cookie <boolean>;
send-cookie <boolean>;
tcp-keepalive <boolean>;
tcp-only <boolean>;
......
......@@ -29,6 +29,12 @@ New Features
IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
Service). [GL #1154]
- A new configuration option ``require-cookie`` has been introduced, it
specifies if there should be a DNS COOKIE in the response for a given
prefix and if not named falls back to TCP. This is useful if you know
a given server support DNS COOKIE. It can also be used to force all
non DNS COOKIE responses to fall back to TCP. [GL #2295]
Removed Features
~~~~~~~~~~~~~~~~
......
......@@ -117,6 +117,12 @@ dns_peer_setsendcookie(dns_peer_t *peer, bool newval);
isc_result_t
dns_peer_getsendcookie(dns_peer_t *peer, bool *retval);
isc_result_t
dns_peer_setrequirecookie(dns_peer_t *peer, bool newval);
isc_result_t
dns_peer_getrequirecookie(dns_peer_t *peer, bool *retval);
isc_result_t
dns_peer_setrequestexpire(dns_peer_t *peer, bool newval);
......
......@@ -54,6 +54,7 @@ struct dns_peer {
bool support_edns;
bool request_nsid;
bool send_cookie;
bool require_cookie;
bool request_expire;
bool force_tcp;
bool tcp_keepalive;
......@@ -96,6 +97,7 @@ struct dns_peer {
#define FORCE_TCP_BIT 15
#define SERVER_PADDING_BIT 16
#define REQUEST_TCP_KEEPALIVE_BIT 17
#define REQUIRE_COOKIE_BIT 18
static void
peerlist_delete(dns_peerlist_t **list);
......@@ -509,6 +511,33 @@ dns_peer_getsendcookie(dns_peer_t *peer, bool *retval) {
}
}
isc_result_t
dns_peer_setrequirecookie(dns_peer_t *peer, bool newval) {
bool existed;
REQUIRE(DNS_PEER_VALID(peer));
existed = DNS_BIT_CHECK(REQUIRE_COOKIE_BIT, &peer->bitflags);
peer->require_cookie = newval;
DNS_BIT_SET(REQUIRE_COOKIE_BIT, &peer->bitflags);
return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
}
isc_result_t
dns_peer_getrequirecookie(dns_peer_t *peer, bool *retval) {
REQUIRE(DNS_PEER_VALID(peer));
REQUIRE(retval != NULL);
if (DNS_BIT_CHECK(REQUIRE_COOKIE_BIT, &peer->bitflags)) {
*retval = peer->require_cookie;
return (ISC_R_SUCCESS);
} else {
return (ISC_R_NOTFOUND);
}
}
isc_result_t
dns_peer_setrequestexpire(dns_peer_t *peer, bool newval) {
bool existed;
......
......@@ -7681,6 +7681,35 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
rctx.resend = true;
rctx_done(&rctx, result);
return;
} else if (fctx->res->view->peers != NULL) {
dns_peer_t *peer = NULL;
isc_netaddr_t netaddr;
isc_netaddr_fromsockaddr(&netaddr,
&query->addrinfo->sockaddr);
result = dns_peerlist_peerbyaddr(fctx->res->view->peers,
&netaddr, &peer);
if (result == ISC_R_SUCCESS) {
bool required = false;
result = dns_peer_getrequirecookie(peer,
&required);
if (result == ISC_R_SUCCESS && required) {
char addrbuf[ISC_SOCKADDR_FORMATSIZE];
isc_sockaddr_format(
&query->addrinfo->sockaddr,
addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx,
DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_RESOLVER,
ISC_LOG_INFO,
"missing required cookie "
"from %s",
addrbuf);
rctx.retryopts |= DNS_FETCHOPT_TCP;
rctx.resend = true;
rctx_done(&rctx, result);
return;
}
}
}
/*
* XXXMPA When support for DNS COOKIE becomes ubiquitous, fall
......
......@@ -704,6 +704,7 @@ dns_peer_getquerysource
dns_peer_getrequestexpire
dns_peer_getrequestixfr
dns_peer_getrequestnsid
dns_peer_getrequirecookie
dns_peer_getsendcookie
dns_peer_getsupportedns
dns_peer_gettcpkeepalive
......@@ -729,6 +730,7 @@ dns_peer_setquerysource
dns_peer_setrequestexpire
dns_peer_setrequestixfr
dns_peer_setrequestnsid
dns_peer_setrequirecookie
dns_peer_setsendcookie
dns_peer_setsupportedns
dns_peer_settcpkeepalive
......
......@@ -2458,6 +2458,7 @@ static cfg_clausedef_t server_clauses[] = {
{ "request-ixfr", &cfg_type_boolean, 0 },
{ "request-nsid", &cfg_type_boolean, 0 },
{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "require-cookie", &cfg_type_boolean, 0 },
{ "send-cookie", &cfg_type_boolean, 0 },
{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "tcp-keepalive", &cfg_type_boolean, 0 },
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment