From: Mark Andrews <marka@isc.org>
Date: Mon, 5 Nov 2018 01:33:54 +0000 (+1100)
Subject: check requireservercookie even if rrl is configured
X-Git-Tag: v9.13.4~56^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6f6eeda9dd7387c3539e5626a24412dd6c27d97;p=thirdparty%2Fbind9.git

check requireservercookie even if rrl is configured
---

diff --git a/lib/ns/query.c b/lib/ns/query.c
index a61936afd8a..937da5d68e3 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5237,6 +5237,19 @@ ns__query_start(query_ctx_t *qctx) {
 	qctx->need_wildcardproof = false;
 	qctx->rpz = false;
 
+	/*
+	 * If we require a server cookie then send back BADCOOKIE
+	 * before we have done too much work.
+	 */
+	if (!TCP(qctx->client) && qctx->client->view->requireservercookie &&
+	    WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
+	{
+		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
+		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
+		qctx->client->message->rcode = dns_rcode_badcookie;
+		return (query_done(qctx));
+	}
+
 	if (qctx->client->view->checknames &&
 	    !dns_rdata_checkowner(qctx->client->query.qname,
 				  qctx->client->message->rdclass,
@@ -6276,14 +6289,6 @@ query_checkrrl(query_ctx_t *qctx, isc_result_t result) {
 				return (DNS_R_DROP);
 			}
 		}
-	} else if (!TCP(qctx->client) &&
-		   qctx->client->view->requireservercookie &&
-		   WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
-	{
-		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
-		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
-		qctx->client->message->rcode = dns_rcode_badcookie;
-		return (DNS_R_DROP);
 	}
 
 	return (ISC_R_SUCCESS);