From: Otto Moerbeek Date: Thu, 4 Sep 2025 12:21:51 +0000 (+0200) Subject: Add config to persistently list auths not supporting cookies X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70cf119a241811b8e534437c8e588c14537fa3fc;p=thirdparty%2Fpdns.git Add config to persistently list auths not supporting cookies Signed-off-by: Otto Moerbeek --- diff --git a/pdns/recursordist/lwres.cc b/pdns/recursordist/lwres.cc index c4f2af9602..c9d03f772f 100644 --- a/pdns/recursordist/lwres.cc +++ b/pdns/recursordist/lwres.cc @@ -58,9 +58,14 @@ static bool g_cookies = false; -void enableOutgoingCookies(bool flag) +void enableOutgoingCookies(bool flag, const string& unsupported) { g_cookies = flag; + if (g_cookies) { + std::vector parts; + stringtok(parts, unsupported, ", "); + addCookiesUnsupported(parts.begin(), parts.end()); + } } thread_local TCPOutConnectionManager t_tcp_manager; @@ -85,7 +90,7 @@ uint64_t addCookiesUnsupported(vector::iterator begin, vector::i } ++count; } - catch (const PDNSException &) { + catch (const PDNSException&) { ; } ++begin; @@ -109,7 +114,7 @@ uint64_t clearCookies(vector::iterator begin, vector::iterator e try { count += lock->erase(ComboAddress(*begin, 53)); } - catch (const PDNSException &) { + catch (const PDNSException&) { ; } ++begin; diff --git a/pdns/recursordist/lwres.hh b/pdns/recursordist/lwres.hh index 544f34f40b..89cc45f19c 100644 --- a/pdns/recursordist/lwres.hh +++ b/pdns/recursordist/lwres.hh @@ -103,4 +103,4 @@ uint64_t dumpCookies(int fileDesc); uint64_t clearCookies(vector::iterator begin, vector::iterator end); uint64_t addCookiesUnsupported(vector::iterator begin, vector::iterator end); void pruneCookies(time_t cutoff); -void enableOutgoingCookies(bool flag); +void enableOutgoingCookies(bool flag, const std::string& unsupported); diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index 01b6c4f6c9..f638e0f25f 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -2203,7 +2203,7 @@ static int serviceMain(Logr::log_t log) g_paddingOutgoing = ::arg().mustDo("edns-padding-out"); g_ECSHardening = ::arg().mustDo("edns-subnet-harden"); - enableOutgoingCookies(::arg().mustDo("outgoing-cookies")); + enableOutgoingCookies(::arg().mustDo("outgoing-cookies"), ::arg()["outgoing-cookies-unsupported"]); RecThreadInfo::setNumDistributorThreads(::arg().asNum("distributor-threads")); RecThreadInfo::setNumUDPWorkerThreads(::arg().asNum("threads")); diff --git a/pdns/recursordist/rec-rust-lib/table.py b/pdns/recursordist/rec-rust-lib/table.py index 5beed59d8a..559c1d4a60 100644 --- a/pdns/recursordist/rec-rust-lib/table.py +++ b/pdns/recursordist/rec-rust-lib/table.py @@ -3627,6 +3627,18 @@ Sequence of ForwardingCatalogZone. This setting cannot be combined with :ref:`se 'help': 'Enable DNS cookies when contacting authoritative servers or forwarders', 'doc': ''' Enable DNS cookies (:rfc:`7873`, :rfc:`9018`) when contacting authoritative servers or forwarders. +''', + 'versionadded': '5.3.0', + }, + { + 'name' : 'cookies_unsupported', + 'section' : 'outgoing', + 'oldname': 'outgoing-cookies-unsupported', + 'type': LType.ListStrings, + 'default': '', + 'help': 'Addresses of authoritative servers that do not support cookies', + 'doc': ''' +Addresses of servers that do not properly support DNS cookies (:rfc:`7873`, :rfc:`9018`). Recursor wil not even try to probe these servers for cookie support. ''', 'versionadded': '5.3.0', },