COOKIE: Only send BADCOOKIE over UDP

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 8dd451153f4321ee773678f70c345ab1a04ebdca..87f398ae42f6a348c86c5ccc77775155cbb7f4ed 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1304,7 +1304,7 @@ std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
         r->setRcode(RCode::FormErr);
         return r;
       }
-      if (!p.hasValidEDNSCookie()) {
+      if (!p.hasValidEDNSCookie() && !p.d_tcp) {
         r = p.replyPacket();
         r->setEDNSRcode(ERCode::BADCOOKIE);
         return r;

diff --git a/regression-tests.auth-py/test_Cookies.py b/regression-tests.auth-py/test_Cookies.py
index 0eec8d954e66d3579b59e197c4fb63a470c7773b..ba67da89782858ddd29f85305bd30a19326f68f1 100644 (file)
--- a/regression-tests.auth-py/test_Cookies.py
+++ b/regression-tests.auth-py/test_Cookies.py
@@ -78,6 +78,17 @@ www.example.org.             3600 IN A    192.0.2.5
         self.assertTrue(any([opt.otype == dns.edns.COOKIE for
                              opt in res.options]))
 
+    def testOnlyClientCookieTCP(self):
+        opts = [
+            dns.edns.GenericOption(dns.edns.COOKIE,
+                                   b'\x22\x11\x33\x44\x55\x66\x77\x88')]
+        query = dns.message.make_query('www.example.org', 'A', options=opts)
+        res = self.sendTCPQuery(query)
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertTrue(any(opt.otype == dns.edns.COOKIE for
+                            opt in res.options))
+
+
     def testCorrectCookie(self):
         opts = [self.getCookieFromServer()]
         query = dns.message.make_query('www.example.org', 'A', options=opts)