From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 19 Mar 2018 12:39:05 +0000 (+0530)
Subject: Add a answer-cookie named config option
X-Git-Tag: v9.11.4rc1~8^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=441de7dbe37beb085aa4ee0e69a23639c31f036a;p=thirdparty%2Fbind9.git

Add a answer-cookie named config option

(cherry picked from commit 29305073575459a66f0a93b9becc4863fd1c0c6b)
---

diff --git a/bin/named/client.c b/bin/named/client.c
index bd410784c68..feb4eb3e790 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1912,7 +1912,9 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
 	/*
 	 * If we have already seen a cookie option skip this cookie option.
 	 */
-	if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) {
+	if ((!ns_g_server->answercookie) ||
+	    (client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0)
+	{
 		isc_buffer_forward(buf, (unsigned int)optlen);
 		return;
 	}
diff --git a/bin/named/config.c b/bin/named/config.c
index c158b2acf6c..54bc37fff73 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -47,6 +47,7 @@
 /*% default configuration */
 static char defaultconf[] = "\
 options {\n\
+	answer-cookie true;\n\
 	automatic-interface-scan yes;\n\
 	bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
 #	blackhole {none;};\n"
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index e60e96fe4b6..d8179a60a0a 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -124,6 +124,7 @@ struct ns_server {
 	unsigned char		secret[32];	/*%< Server Cookie Secret */
 	ns_altsecretlist_t	altsecrets;
 	ns_cookiealg_t		cookiealg;
+	isc_boolean_t		answercookie;
 
 	dns_dtenv_t		*dtenv;		/*%< Dnstap environment */
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 038e610e6b5..777ece58665 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8327,6 +8327,11 @@ load_configuration(const char *filename, ns_server_t *server,
 		server->flushonshutdown = ISC_FALSE;
 	}
 
+	obj = NULL;
+	result = ns_config_get(maps, "answer-cookie", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	server->answercookie = cfg_obj_asboolean(obj);
+
 	obj = NULL;
 	result = ns_config_get(maps, "cookie-algorithm", &obj);
 	INSIST(result == ISC_R_SUCCESS);
@@ -9033,6 +9038,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->lockfile = NULL;
 
 	server->dtenv = NULL;
+	server->answercookie = ISC_TRUE;
 
 	server->magic = NS_SERVER_MAGIC;
 	*serverp = server;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index cabbba9d7db..ecd59206479 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1024,6 +1024,7 @@ static cfg_type_t cfg_type_fstrm_model = {
  */
 static cfg_clausedef_t
 options_clauses[] = {
+	{ "answer-cookie", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
 	{ "automatic-interface-scan", &cfg_type_boolean, 0 },
 	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
 	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },