Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 532
    • Issues 532
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 100
    • Merge requests 100
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #617

Closed
Open
Created Oct 23, 2018 by Michael McNally@McNally

If RRL is configured the "require-server-cookie yes;" is ignored.

David Beck of Men and Mice reported the following via e-mail to security-officer:

Summary

If RRL is configured the "require-server-cookie yes;" is ignored.

BIND Version used

% named -V
BIND 9.12.2 <id:3631aeb>
running on Linux x86_64 4.11.12-100.fc24.x86_64 #1 SMP Fri Jul 21 17:35:20 UTC 2017
built by make with '--sysconfdir=/etc/namedb'
compiled by GCC 8.2.0
compiled with OpenSSL version: OpenSSL 1.1.0h  27 Mar 2018
linked to OpenSSL version: OpenSSL 1.1.0h  27 Mar 2018
threads support is enabled

Steps to reproduce

  1. Use this very reduced configuration:
options {
  directory "/etc/namedb"; require-server-cookie yes; rate-limit {};
};
zone "zoneXX.dnslab.org" { type master; file "zoneXX.dnslab.org"; };

Note that the empty rate-limit {} stanza with only defaults isn't the issue. I originally had responses-per-second, ipv4-prefix-length, and slip statements. I removed them one-by-one get to the core of the problem.

  1. Have a valid zone file: zoneXX.dnslab.org

  2. Start named

  3. Query:

dig +norec @::1 zonexx.dnslab.org soa +nobadcookie

The response is NOERROR with the SOA being properly returned in the ANSWER section. This is the bug. The response code should be BADCOOKIE.

What is the expected correct behavior?

  1. Remove or comment out: rate-limit {};

  2. Load the new configuration.

  3. Repeat the same query as above. The response will be BADCOOKIE, which is correct.

Relevant configuration files

See above.

Relevant logs and/or screenshots

Running 'named -g' I saw nothing of use in the logs.

Possible fixes

No idea.

Assignee
Assign to
Time tracking