Add setting, remove debug lines

diff --git a/pdns/recursordist/lwres.cc b/pdns/recursordist/lwres.cc
index 2620709c38fdca86c76f824c5c972ed63de9d906..62750e766176cf50bc2b4ef0f3c138ddf562eccd 100644 (file)
--- a/pdns/recursordist/lwres.cc
+++ b/pdns/recursordist/lwres.cc
@@ -56,7 +56,12 @@
 #include "rec-tcpout.hh"
 #include "rec-cookiestore.hh"
 
-static bool g_cookies = true;
+static bool g_cookies = false;
+
+void setAuthCookies(bool flag)
+{
+  g_cookies = flag;
+}
 
 thread_local TCPOutConnectionManager t_tcp_manager;
 std::shared_ptr<Logr::Logger> g_slogout;

diff --git a/pdns/recursordist/lwres.hh b/pdns/recursordist/lwres.hh
index 9f3e1ce91e2e0cab602c63632dcc09a93dbe3310..d091e4c3094c24b8514d908f6a160cb2793cccd6 100644 (file)
--- a/pdns/recursordist/lwres.hh
+++ b/pdns/recursordist/lwres.hh
@@ -101,3 +101,4 @@ LWResult::Result arecvfrom(PacketBuffer& packet, int flags, const ComboAddress&
 LWResult::Result asyncresolve(const ComboAddress& address, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, const ResolveContext& context, const std::shared_ptr<std::vector<std::unique_ptr<RemoteLogger>>>& outgoingLoggers, const std::shared_ptr<std::vector<std::unique_ptr<FrameStreamLogger>>>& fstrmLoggers, const std::set<uint16_t>& exportTypes, LWResult* lwr, bool* chained);
 uint64_t dumpCookies(int fileDesc);
 void pruneCookies(time_t cutoff);
+void setAuthCookies(bool flag);

diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc
index e8ecd425d80526bb2495015edb6ab1afcaffb82a..9a0645d3c42b087f3d134348f3a2fd9059ddb51c 100644 (file)
--- a/pdns/recursordist/rec-main.cc
+++ b/pdns/recursordist/rec-main.cc
@@ -2203,6 +2203,8 @@ static int serviceMain(Logr::log_t log)
   g_paddingOutgoing = ::arg().mustDo("edns-padding-out");
   g_ECSHardening = ::arg().mustDo("edns-subnet-harden");
 
+  setAuthCookies(::arg().mustDo("outgoing-cookies"));
+
   RecThreadInfo::setNumDistributorThreads(::arg().asNum("distributor-threads"));
   RecThreadInfo::setNumUDPWorkerThreads(::arg().asNum("threads"));
   if (RecThreadInfo::numUDPWorkers() < 1) {

diff --git a/pdns/recursordist/rec-rust-lib/table.py b/pdns/recursordist/rec-rust-lib/table.py
index 2b82b1d594b7b1d90cad8115021aa1ad1cd62872..5beed59d8aa27b519a25880da215e0dd83534a4d 100644 (file)
--- a/pdns/recursordist/rec-rust-lib/table.py
+++ b/pdns/recursordist/rec-rust-lib/table.py
@@ -3618,4 +3618,16 @@ Sequence of ForwardingCatalogZone. This setting cannot be combined with :ref:`se
         'versionadded': '5.2.0',
         'runtime': ['reload-lua-config', 'reload-yaml'],
     },
+    {
+        'name' : 'cookies',
+        'section' : 'outgoing',
+        'oldname': 'outgoing-cookies',
+        'type': LType.Bool,
+        'default': 'false',
+        'help': 'Enable DNS cookies when contacting authoritative servers or forwarders',
+        'doc': '''
+Enable DNS cookies (:rfc:`7873`, :rfc:`9018`) when contacting authoritative servers or forwarders.
+''',
+        'versionadded': '5.3.0',
+    },
 ]

diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc
index 8fafdba645062b238b29718db6a86b5901ad39e3..f18546176ddaf69507ce4c0d71c2e53186702eb5 100644 (file)
--- a/pdns/recursordist/syncres.cc
+++ b/pdns/recursordist/syncres.cc
@@ -1518,7 +1518,6 @@ LWResult::Result SyncRes::asyncresolveWrapper(const ComboAddress& address, bool
 
       // Determine new mode
       if (ret == LWResult::Result::BindError) {
-        cerr << "BindError, retrying with new client cookie and no specific address to bind to" << endl;
         // BindError is only generated when cookies are active and we failed to bind to a local
         // address associated with a cookie, see RFC9018 section 3 last paragraph. We assume the
         // called code alread erased the cookie info.
@@ -1526,7 +1525,6 @@ LWResult::Result SyncRes::asyncresolveWrapper(const ComboAddress& address, bool
         continue;
       }
       else if (res->d_validpacket && res->d_haveEDNS && ret == LWResult::Result::BadCookie) {
-        cerr << "Retrying with received server cookie" << endl;
         // We assume the received cookie was stored and will be used in the second iteration
         // This is the second path that re-iterates the loop
         continue;
@@ -5488,8 +5486,6 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
     }
   }
 
-  cerr << "asyncrW: returns " << int(resolveret) << " rcode is " << int(lwr.d_rcode) << endl;
-
   /* preoutquery killed the query by setting dq.rcode to -3 */
   if (preOutQueryRet == -3) {
     throw ImmediateServFailException("Query killed by policy");
@@ -5498,7 +5494,6 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
   d_totUsec += lwr.d_usec;
 
   if (resolveret == LWResult::Result::Spoofed || resolveret == LWResult::Result::BadCookie) {
-    cerr << "Acting as we got a spoof" << endl;
     spoofed = true;
     return false;
   }
@@ -5992,7 +5987,7 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con
           if (SyncRes::s_dot_to_port_853 && remoteIP->getPort() == 853) {
             doDoT = true;
           }
-          bool forceTCP = doDoT | true;
+          bool forceTCP = doDoT;
 
           if (!doDoT && s_max_busy_dot_probes > 0) {
             submitTryDotTask(*remoteIP, auth, tns->first, d_now.tv_sec);
@@ -6003,7 +5998,6 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con
           }
           if (forceTCP || (spoofed || (gotAnswer && truncated))) {
             /* retry, over TCP this time */
-            cerr << "Retry over TCP" << endl;
             gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery, wasForwarded,
                                           tns->first, *remoteIP, true, doDoT, truncated, spoofed, context.extendedError);
           }