diff --git a/bin/named/config.c b/bin/named/config.c index ad310307d3..0595268027 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -47,7 +47,7 @@ /*% default configuration */ static char defaultconf[] = "\ options {\n\ -# answer-cookie ;\n\ + answer-cookie true;\n\ automatic-interface-scan yes;\n\ bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\ # blackhole {none;};\n" diff --git a/bin/named/server.c b/bin/named/server.c index 8644581df9..20151d3563 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8791,6 +8791,11 @@ load_configuration(const char *filename, named_server_t *server, server->flushonshutdown = ISC_FALSE; } + obj = NULL; + result = named_config_get(maps, "answer-cookie", &obj); + INSIST(result == ISC_R_SUCCESS); + server->sctx->answercookie = cfg_obj_asboolean(obj); + obj = NULL; result = named_config_get(maps, "cookie-algorithm", &obj); INSIST(result == ISC_R_SUCCESS); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index cbcff2d856..4526c660a7 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1031,7 +1031,7 @@ static cfg_type_t cfg_type_fstrm_model = { */ static cfg_clausedef_t options_clauses[] = { - { "answer-cookie", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, + { "answer-cookie", &cfg_type_boolean, 0 }, { "automatic-interface-scan", &cfg_type_boolean, 0 }, { "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 }, { "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 }, diff --git a/lib/ns/client.c b/lib/ns/client.c index 2dc4434c0c..48e116c433 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -1909,7 +1909,9 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { /* * If we have already seen a cookie option skip this cookie option. */ - if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) { + if ((!client->sctx->answercookie) || + (client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) + { isc_buffer_forward(buf, (unsigned int)optlen); return; } diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h index bcfb69a92c..1237d9c04c 100644 --- a/lib/ns/include/ns/server.h +++ b/lib/ns/include/ns/server.h @@ -76,6 +76,7 @@ struct ns_server { unsigned char secret[32]; ns_cookiealg_t cookiealg; ns_altsecretlist_t altsecrets; + isc_boolean_t answercookie; /*% Quotas */ isc_quota_t recursionquota; diff --git a/lib/ns/server.c b/lib/ns/server.c index 01965aef64..707d850ed2 100644 --- a/lib/ns/server.c +++ b/lib/ns/server.c @@ -103,6 +103,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, sctx->gethostname = NULL; sctx->matchingview = matchingview; + sctx->answercookie = ISC_TRUE; ISC_LIST_INIT(sctx->altsecrets);