If RRL is configured the "require-server-cookie yes;" is ignored.
David Beck of Men and Mice reported the following via e-mail to security-officer:
Summary
If RRL is configured the "require-server-cookie yes;" is ignored.
BIND Version used
% named -V
BIND 9.12.2 <id:3631aeb>
running on Linux x86_64 4.11.12-100.fc24.x86_64 #1 SMP Fri Jul 21 17:35:20 UTC 2017
built by make with '--sysconfdir=/etc/namedb'
compiled by GCC 8.2.0
compiled with OpenSSL version: OpenSSL 1.1.0h 27 Mar 2018
linked to OpenSSL version: OpenSSL 1.1.0h 27 Mar 2018
threads support is enabledSteps to reproduce
- Use this very reduced configuration:
options {
directory "/etc/namedb"; require-server-cookie yes; rate-limit {};
};
zone "zoneXX.dnslab.org" { type master; file "zoneXX.dnslab.org"; };Note that the empty rate-limit {} stanza with only defaults isn't the issue. I originally had responses-per-second, ipv4-prefix-length, and slip statements. I removed them one-by-one get to the core of the problem.
-
Have a valid zone file: zoneXX.dnslab.org
-
Start named
-
Query:
dig +norec @::1 zonexx.dnslab.org soa +nobadcookieThe response is NOERROR with the SOA being properly returned in the ANSWER section. This is the bug. The response code should be BADCOOKIE.
What is the expected correct behavior?
-
Remove or comment out: rate-limit {};
-
Load the new configuration.
-
Repeat the same query as above. The response will be BADCOOKIE, which is correct.
Relevant configuration files
See above.
Relevant logs and/or screenshots
Running 'named -g' I saw nothing of use in the logs.
Possible fixes
No idea.