Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 530
    • Issues 530
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 98
    • Merge requests 98
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #260

Closed
Open
Created May 15, 2018 by Ghost User@ghost

Queries with empty question section (and otherwise query message of undetermined RDCLASS) return NOERROR instead of FORMERR [ISC-support #12856]

Per customer, it looks like the corresponding RFC 7873 (cookie) handling code is broken for this case.

The same code seems to exist in both v9_11_sub and master branches.

As of 9.11.3-S1, 'named' returns a noerror response to a query without
an empty question section (and no EDNS for that matter).  Previously
it returned FORMERR in this case.  Is that intentional?

This is because of the following code in client.c:client_request():
               
                if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0 ||
                    (client->message->opcode == dns_opcode_query &&
                     client->message->counts[DNS_SECTION_QUESTION] == 0U)) {
                        result = dns_message_reply(client->message, ISC_TRUE);
                        if (result != ISC_R_SUCCESS) {
                                ns_client_error(client, result);
                                return;
                        }                                                                                                                                      
                        if (notimp)
                                client->message->rcode = dns_rcode_notimp;
                        ns_client_send(client);
                        return;
                }                                                                                                                                              

which in the public repo version was introduced at commit ce67023ae:

4152.   [func]          Implement DNS COOKIE option.  This replaces the
                        experimental SIT option of BIND 9.10.  [...]

RFC7873 certainly talks about a special case of an empty query, but it
adds a condition of the existence of the cookie option:

   For servers with DNS Cookies enabled, the QUERY opcode behavior is
   extended to support queries with an empty Question Section (a QDCOUNT
   of zero (0)), provided that an OPT record is present with a COOKIE
   option.

So the above code doesn't seem to be fully compliant with the RFC.  Is
there other reason for this behavior, or perhaps the first '||'
should have been '&&'?

See: https://support.isc.org/Ticket/Display.html?id=12856 for the details.

Edited May 22, 2018 by Brian Conry
Assignee
Assign to
Time tracking