check requireservercookie even if rrl is configured

diff --git a/lib/ns/query.c b/lib/ns/query.c
index a61936afd8a77af07eb41d0e36bbad29a9e8b4a9..937da5d68e32eaa5154f5f43244709b4da4ec8af 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5237,6 +5237,19 @@ ns__query_start(query_ctx_t *qctx) {
        qctx->need_wildcardproof = false;
        qctx->rpz = false;
 
+       /*
+        * If we require a server cookie then send back BADCOOKIE
+        * before we have done too much work.
+        */
+       if (!TCP(qctx->client) && qctx->client->view->requireservercookie &&
+           WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
+       {
+               qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
+               qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
+               qctx->client->message->rcode = dns_rcode_badcookie;
+               return (query_done(qctx));
+       }
+
        if (qctx->client->view->checknames &&
            !dns_rdata_checkowner(qctx->client->query.qname,
                                  qctx->client->message->rdclass,
@@ -6276,14 +6289,6 @@ query_checkrrl(query_ctx_t *qctx, isc_result_t result) {
                                return (DNS_R_DROP);
                        }
                }
-       } else if (!TCP(qctx->client) &&
-                  qctx->client->view->requireservercookie &&
-                  WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
-       {
-               qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
-               qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
-               qctx->client->message->rcode = dns_rcode_badcookie;
-               return (DNS_R_DROP);
        }
 
        return (ISC_R_SUCCESS);