Add a answer-cookie named config option

diff --git a/bin/named/config.c b/bin/named/config.c
index 9e0cd0169523539fed2ccecdd629d5248d55262c..c895cfc2295caaf94180aefe9bfebfa683191d72 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -47,6 +47,7 @@
 /*% default configuration */
 static char defaultconf[] = "\
 options {\n\
+       answer-cookie true;\n\
        automatic-interface-scan yes;\n\
        bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\
 #      blackhole {none;};\n"

diff --git a/bin/named/server.c b/bin/named/server.c
index 2a3b96cbf4ecefb6cc9fca9098db3fe1fb606731..16181303390a9feed605c28625ee3ff49b84e773 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8829,6 +8829,11 @@ load_configuration(const char *filename, named_server_t *server,
                server->flushonshutdown = ISC_FALSE;
        }
 
+       obj = NULL;
+       result = named_config_get(maps, "answer-cookie", &obj);
+       INSIST(result == ISC_R_SUCCESS);
+       server->sctx->answercookie = cfg_obj_asboolean(obj);
+
        obj = NULL;
        result = named_config_get(maps, "cookie-algorithm", &obj);
        INSIST(result == ISC_R_SUCCESS);

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index ad8488e4190b78cb6006133d946363d0b6a5be53..8698afea3ae8124c6c53ec2dccdf6c896d8cd085 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1027,6 +1027,7 @@ static cfg_type_t cfg_type_fstrm_model = {
  */
 static cfg_clausedef_t
 options_clauses[] = {
+       { "answer-cookie", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
        { "automatic-interface-scan", &cfg_type_boolean, 0 },
        { "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
        { "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },

diff --git a/lib/ns/client.c b/lib/ns/client.c
index 951f0ae56190bff74aab6092551742c1f86fd897..506f5d9ae6f9b0c07ff713405d09df2099639bb1 100644 (file)
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -1912,7 +1912,9 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
        /*
         * If we have already seen a cookie option skip this cookie option.
         */
-       if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) {
+       if ((!client->sctx->answercookie) ||
+           (client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0)
+       {
                isc_buffer_forward(buf, (unsigned int)optlen);
                return;
        }

diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
index 362f9ca0fcfa782fde31299c7ebcdedaee6aa98e..68280cd19d61b1fddff5ca54a0b1587403388889 100644 (file)
--- a/lib/ns/include/ns/server.h
+++ b/lib/ns/include/ns/server.h
@@ -76,6 +76,7 @@ struct ns_server {
        unsigned char           secret[32];
        ns_cookiealg_t          cookiealg;
        ns_altsecretlist_t      altsecrets;
+       isc_boolean_t           answercookie;
 
        /*% Quotas */
        isc_quota_t             recursionquota;

diff --git a/lib/ns/server.c b/lib/ns/server.c
index c8220592bdca66f52a50542e9f60066f1fb1f614..95afea36af0e83dc77d9e671b3abde3158e72622 100644 (file)
--- a/lib/ns/server.c
+++ b/lib/ns/server.c
@@ -104,6 +104,7 @@ ns_server_create(isc_mem_t *mctx, isc_entropy_t *entropy,
        sctx->gethostname = NULL;
 
        sctx->matchingview = matchingview;
+       sctx->answercookie = ISC_TRUE;
 
        ISC_LIST_INIT(sctx->altsecrets);