mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 14:07:59 +00:00
new: dev: Implement -T cookiealwaysvalid
When `-T cookiealwaysvalid` is passed to `named`, DNS cookie checks for the incoming queries always pass, given they are structurally correct. Merge branch 'aram/new-named-minus-T-option-of-cookiealwaysvalid' into 'main' See merge request isc-projects/bind9!10232
This commit is contained in:
Arаm Sаrgsyаn
@@ -129,6 +129,7 @@ static int maxudp = 0;
|
|||||||
/*
|
/*
|
||||||
* -T options:
|
* -T options:
|
||||||
*/
|
*/
|
||||||
|
static bool cookiealwaysvalid = false;
|
||||||
static bool dropedns = false;
|
static bool dropedns = false;
|
||||||
static bool ednsformerr = false;
|
static bool ednsformerr = false;
|
||||||
static bool ednsnotimp = false;
|
static bool ednsnotimp = false;
|
||||||
@@ -652,7 +653,9 @@ parse_T_opt(char *option) {
|
|||||||
* force the server to behave (or misbehave) in
|
* force the server to behave (or misbehave) in
|
||||||
* specified ways for testing purposes.
|
* specified ways for testing purposes.
|
||||||
*/
|
*/
|
||||||
if (!strcmp(option, "dropedns")) {
|
if (!strcmp(option, "cookiealwaysvalid")) {
|
||||||
|
cookiealwaysvalid = true;
|
||||||
|
} else if (!strcmp(option, "dropedns")) {
|
||||||
dropedns = true;
|
dropedns = true;
|
||||||
} else if (!strcmp(option, "ednsformerr")) {
|
} else if (!strcmp(option, "ednsformerr")) {
|
||||||
ednsformerr = true;
|
ednsformerr = true;
|
||||||
@@ -1220,6 +1223,9 @@ setup(void) {
|
|||||||
/*
|
/*
|
||||||
* Modify server context according to command line options
|
* Modify server context according to command line options
|
||||||
*/
|
*/
|
||||||
|
if (cookiealwaysvalid) {
|
||||||
|
ns_server_setoption(sctx, NS_SERVER_COOKIEALWAYSVALID, true);
|
||||||
|
}
|
||||||
if (disable4) {
|
if (disable4) {
|
||||||
ns_server_setoption(sctx, NS_SERVER_DISABLE4, true);
|
ns_server_setoption(sctx, NS_SERVER_DISABLE4, true);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -361,6 +361,23 @@ grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
|
|||||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
status=$((status + ret))
|
status=$((status + ret))
|
||||||
|
|
||||||
|
n=$((n + 1))
|
||||||
|
echo_i "Restart NS4 with -T cookiealwaysvalid ($n)"
|
||||||
|
stop_server ns4
|
||||||
|
touch ns4/named.cookiealwaysvalid
|
||||||
|
start_server --noclean --restart --port ${PORT} ns4 || ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status + ret))
|
||||||
|
|
||||||
|
n=$((n + 1))
|
||||||
|
echo_i "test NS6 cookie on NS4 with -T cookiealwaysvalid (expect success) ($n)"
|
||||||
|
ret=0
|
||||||
|
$DIG $DIGOPTS +cookie=$ns6cookie -b 10.53.0.4 +nobadcookie soa . @10.53.0.4 >dig.out.test$n || ret=1
|
||||||
|
grep "; COOKIE:.*(good)" dig.out.test$n >/dev/null || ret=1
|
||||||
|
grep "status: NOERROR," dig.out.test$n >/dev/null || ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=$((status + ret))
|
||||||
|
|
||||||
n=$((n + 1))
|
n=$((n + 1))
|
||||||
echo_i "check that test server is correctly configured ($n)"
|
echo_i "check that test server is correctly configured ($n)"
|
||||||
ret=0
|
ret=0
|
||||||
|
|||||||
@@ -19,6 +19,7 @@ pytestmark = pytest.mark.extra_artifacts(
|
|||||||
"ans*/ans.run",
|
"ans*/ans.run",
|
||||||
"ans*/query.log",
|
"ans*/query.log",
|
||||||
"ns1/named_dump.db*",
|
"ns1/named_dump.db*",
|
||||||
|
"ns4/named.cookiealwaysvalid",
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
@@ -264,7 +264,8 @@ sub construct_ns_command {
|
|||||||
|
|
||||||
foreach my $t_option(
|
foreach my $t_option(
|
||||||
"dropedns", "ednsformerr", "ednsnotimp", "ednsrefused",
|
"dropedns", "ednsformerr", "ednsnotimp", "ednsrefused",
|
||||||
"noaa", "noedns", "nosoa", "maxudp512", "maxudp1460",
|
"cookiealwaysvalid", "noaa", "noedns", "nosoa",
|
||||||
|
"maxudp512", "maxudp1460",
|
||||||
) {
|
) {
|
||||||
if (-e "$testdir/$server/named.$t_option") {
|
if (-e "$testdir/$server/named.$t_option") {
|
||||||
$command .= "-T $t_option "
|
$command .= "-T $t_option "
|
||||||
|
|||||||
@@ -1290,6 +1290,7 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
|
|||||||
isc_stdtime_t now;
|
isc_stdtime_t now;
|
||||||
uint32_t when;
|
uint32_t when;
|
||||||
isc_buffer_t db;
|
isc_buffer_t db;
|
||||||
|
bool alwaysvalid;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If we have already seen a cookie option skip this cookie option.
|
* If we have already seen a cookie option skip this cookie option.
|
||||||
@@ -1335,11 +1336,22 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
|
|||||||
when = isc_buffer_getuint32(buf);
|
when = isc_buffer_getuint32(buf);
|
||||||
isc_buffer_forward(buf, 8);
|
isc_buffer_forward(buf, 8);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* For '-T cookiealwaysvalid' still process everything to not skew any
|
||||||
|
* performance tests involving cookies, but make sure that the cookie
|
||||||
|
* check passes in the end, given the cookie was structurally correct.
|
||||||
|
*/
|
||||||
|
alwaysvalid = ns_server_getoption(client->manager->sctx,
|
||||||
|
NS_SERVER_COOKIEALWAYSVALID);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Allow for a 5 minute clock skew between servers sharing a secret.
|
* Allow for a 5 minute clock skew between servers sharing a secret.
|
||||||
* Only accept COOKIE if we have talked to the client in the last hour.
|
* Only accept COOKIE if we have talked to the client in the last hour.
|
||||||
*/
|
*/
|
||||||
now = isc_stdtime_now();
|
now = isc_stdtime_now();
|
||||||
|
if (alwaysvalid) {
|
||||||
|
now = when;
|
||||||
|
}
|
||||||
if (isc_serial_gt(when, (now + 300)) /* In the future. */ ||
|
if (isc_serial_gt(when, (now + 300)) /* In the future. */ ||
|
||||||
isc_serial_lt(when, (now - 3600)) /* In the past. */)
|
isc_serial_lt(when, (now - 3600)) /* In the past. */)
|
||||||
{
|
{
|
||||||
@@ -1352,7 +1364,7 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
|
|||||||
isc_buffer_init(&db, dbuf, sizeof(dbuf));
|
isc_buffer_init(&db, dbuf, sizeof(dbuf));
|
||||||
compute_cookie(client, when, client->manager->sctx->secret, &db);
|
compute_cookie(client, when, client->manager->sctx->secret, &db);
|
||||||
|
|
||||||
if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
|
if (isc_safe_memequal(old, dbuf, COOKIE_SIZE) || alwaysvalid) {
|
||||||
ns_stats_increment(client->manager->sctx->nsstats,
|
ns_stats_increment(client->manager->sctx->nsstats,
|
||||||
ns_statscounter_cookiematch);
|
ns_statscounter_cookiematch);
|
||||||
client->attributes |= NS_CLIENTATTR_HAVECOOKIE;
|
client->attributes |= NS_CLIENTATTR_HAVECOOKIE;
|
||||||
|
|||||||
@@ -50,6 +50,7 @@
|
|||||||
#define NS_SERVER_TRANSFERSLOWLY 0x00010000U /*%< -T transferslowly */
|
#define NS_SERVER_TRANSFERSLOWLY 0x00010000U /*%< -T transferslowly */
|
||||||
#define NS_SERVER_TRANSFERSTUCK 0x00020000U /*%< -T transferstuck */
|
#define NS_SERVER_TRANSFERSTUCK 0x00020000U /*%< -T transferstuck */
|
||||||
#define NS_SERVER_LOGRESPONSES 0x00040000U /*%< log responses */
|
#define NS_SERVER_LOGRESPONSES 0x00040000U /*%< log responses */
|
||||||
|
#define NS_SERVER_COOKIEALWAYSVALID 0x00080000U /*%< -T cookiealwaysvalid */
|
||||||
|
|
||||||
/*%
|
/*%
|
||||||
* Type for callback function to get hostname.
|
* Type for callback function to get hostname.
|
||||||
|
|||||||
Reference in New Issue
Block a user