mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
Merge branch '617-if-rrl-is-configured-the-require-server-cookie-yes-is-ignored' into 'master'
Resolve "If RRL is configured the "require-server-cookie yes;" is ignored." Closes #617 See merge request isc-projects/bind9!974
This commit is contained in:
Mark Andrews
3
CHANGES
3
CHANGES
@@ -1,3 +1,6 @@
|
||||
5076. [bug] "require-server-cookie" was not effective if
|
||||
"rate-limit" was configured. [GL #617]
|
||||
|
||||
5075. [bug] Refresh nameservers from cache when sending final
|
||||
query in qname minimization. [GL #16]
|
||||
|
||||
|
||||
11
bin/tests/system/cookie/ns8/example.db
Normal file
11
bin/tests/system/cookie/ns8/example.db
Normal file
@@ -0,0 +1,11 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
@ 3600 SOA . . 0 0 0 0 0
|
||||
@ 3600 NS .
|
||||
37
bin/tests/system/cookie/ns8/named.conf.in
Normal file
37
bin/tests/system/cookie/ns8/named.conf.in
Normal file
@@ -0,0 +1,37 @@
|
||||
/*
|
||||
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* See the COPYRIGHT file distributed with this work for additional
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
options {
|
||||
query-source address 10.53.0.8;
|
||||
notify-source 10.53.0.8;
|
||||
transfer-source 10.53.0.8;
|
||||
port @PORT@;
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.8; };
|
||||
listen-on-v6 { none; };
|
||||
dnssec-validation yes;
|
||||
rate-limit {};
|
||||
require-server-cookie yes;
|
||||
};
|
||||
|
||||
zone "example" {
|
||||
type master;
|
||||
file "example.db";
|
||||
};
|
||||
@@ -20,3 +20,4 @@ copy_setports ns4/named.conf.in ns4/named.conf
|
||||
copy_setports ns5/named.conf.in ns5/named.conf
|
||||
copy_setports ns6/named.conf.in ns6/named.conf
|
||||
copy_setports ns7/named.conf.in ns7/named.conf
|
||||
copy_setports ns8/named.conf.in ns8/named.conf
|
||||
|
||||
@@ -169,6 +169,17 @@ if [ $linecount != 2 ]; then ret=1; fi
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "checking require-server-cookie yes with rate-limit ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n
|
||||
grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
|
||||
grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
|
||||
linecount=`getcookie dig.out.test$n | wc -l`
|
||||
if [ $linecount != 2 ]; then ret=1; fi
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
#
|
||||
# Test shared cookie-secret support.
|
||||
#
|
||||
|
||||
@@ -5237,6 +5237,19 @@ ns__query_start(query_ctx_t *qctx) {
|
||||
qctx->need_wildcardproof = false;
|
||||
qctx->rpz = false;
|
||||
|
||||
/*
|
||||
* If we require a server cookie then send back BADCOOKIE
|
||||
* before we have done too much work.
|
||||
*/
|
||||
if (!TCP(qctx->client) && qctx->client->view->requireservercookie &&
|
||||
WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
|
||||
{
|
||||
qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
|
||||
qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
|
||||
qctx->client->message->rcode = dns_rcode_badcookie;
|
||||
return (query_done(qctx));
|
||||
}
|
||||
|
||||
if (qctx->client->view->checknames &&
|
||||
!dns_rdata_checkowner(qctx->client->query.qname,
|
||||
qctx->client->message->rdclass,
|
||||
@@ -6276,14 +6289,6 @@ query_checkrrl(query_ctx_t *qctx, isc_result_t result) {
|
||||
return (DNS_R_DROP);
|
||||
}
|
||||
}
|
||||
} else if (!TCP(qctx->client) &&
|
||||
qctx->client->view->requireservercookie &&
|
||||
WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
|
||||
{
|
||||
qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
|
||||
qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
|
||||
qctx->client->message->rcode = dns_rcode_badcookie;
|
||||
return (DNS_R_DROP);
|
||||
}
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -824,6 +824,8 @@
|
||||
./bin/tests/system/cookie/ns6/root.hint ZONE 2017,2018
|
||||
./bin/tests/system/cookie/ns7/named.conf.in CONF-C 2018
|
||||
./bin/tests/system/cookie/ns7/root.db ZONE 2018
|
||||
./bin/tests/system/cookie/ns8/example.db ZONE 2018
|
||||
./bin/tests/system/cookie/ns8/named.conf.in CONF-C 2018
|
||||
./bin/tests/system/cookie/setup.sh SH 2018
|
||||
./bin/tests/system/cookie/tests.sh SH 2014,2015,2016,2017,2018
|
||||
./bin/tests/system/coverage/01-ksk-inactive/README X 2013,2018
|
||||
|
||||
Reference in New Issue
Block a user