If RRL is configured the "require-server-cookie yes;" is ignored.

David Beck of Men and Mice reported the following via e-mail to security-officer:

Summary

If RRL is configured the "require-server-cookie yes;" is ignored.

BIND Version used

% named -V
BIND 9.12.2 <id:3631aeb>
running on Linux x86_64 4.11.12-100.fc24.x86_64 #1 SMP Fri Jul 21 17:35:20 UTC 2017
built by make with '--sysconfdir=/etc/namedb'
compiled by GCC 8.2.0
compiled with OpenSSL version: OpenSSL 1.1.0h  27 Mar 2018
linked to OpenSSL version: OpenSSL 1.1.0h  27 Mar 2018
threads support is enabled

Steps to reproduce

1. Use this very reduced configuration:

options {
  directory "/etc/namedb"; require-server-cookie yes; rate-limit {};
};
zone "zoneXX.dnslab.org" { type master; file "zoneXX.dnslab.org"; };

Note that the empty rate-limit {} stanza with only defaults isn't the issue. I originally had responses-per-second, ipv4-prefix-length, and slip statements. I removed them one-by-one get to the core of the problem.

3. Have a valid zone file: zoneXX.dnslab.org

4. Start named

5. Query:

dig +norec @::1 zonexx.dnslab.org soa +nobadcookie

The response is NOERROR with the SOA being properly returned in the ANSWER section. This is the bug. The response code should be BADCOOKIE.

What is the expected correct behavior?

1. Remove or comment out: rate-limit {};

2. Load the new configuration.

3. Repeat the same query as above. The response will be BADCOOKIE, which is correct.

Relevant configuration files

See above.

Relevant logs and/or screenshots

Running 'named -g' I saw nothing of use in the logs.

Possible fixes

No idea.