+4983. [cleanup] Remove the deprecated flag from "answer-cookie";
+ it will be allowed to persist into 9.13. [GL #275].
+
4982. [cleanup] Return FORMERR if the question section is empty
and no COOKIE option is present; this restores
older behavior except in the newly specified
options level, not per-view.
</para>
<para>
- <command>answer-cookie</command> is only available
- as a temporary measure, for use when
- <command>named</command> shares an IP address
- with other servers that do not yet support DNS
- COOKIE. A mismatch between servers on the same
- address is not expected to cause operational
- problems, but the option to disable COOKIE responses
- so that all servers have the same behavior is
- provided out of an abundance of caution. DNS COOKIE
- is an important security mechanism and should not be
- disabled unless absolutely necessary. The
- <command>answer-cookie</command> option is obsolete
- as of BIND 9.13.
+ <command>answer-cookie no</command> is only intended as a
+ temporary measure, for use when <command>named</command>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the
+ same address is not expected to cause operational
+ problems, but the option to disable COOKIE responses so
+ that all servers have the same behavior is provided out
+ of an abundance of caution. DNS COOKIE is an important
+ security mechanism, and should not be disabled unless
+ absolutely necessary.
</para>
</listitem>
</varlistentry>
servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security
mechanism and should not be disabled unless absolutely
- necessary. The <command>answer-cookie</command> option
- is obsolete as of BIND 9.13.
+ necessary.
</para>
</listitem>
</itemizedlist>
using (now obsolete) idnkit-1 library.
</para>
</listitem>
+ <listitem>
+ <para>
+ Add the ability to not return a DNS COOKIE option when one
+ is present in the request. To prevent a cookie being returned
+ add <command>answer-cookie no;</command> to
+ <filename>named.conf</filename>. [GL #173]
+ </para>
+ <para>
+ <command>answer-cookie no</command> is only intended as a
+ temporary measure, for use when <command>named</command>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the
+ same address is not expected to cause operational problems,
+ but the option to disable COOKIE responses so that all
+ servers have the same behavior is provided out of an
+ abundance of caution. DNS COOKIE is an important security
+ mechanism, and should not be disabled unless absolutely
+ necessary.
+ </para>
+ </listitem>
</itemizedlist>
</section>
*/
static cfg_clausedef_t
options_clauses[] = {
- { "answer-cookie", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
+ { "answer-cookie", &cfg_type_boolean, 0 },
{ "automatic-interface-scan", &cfg_type_boolean, 0 },
{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
projects / thirdparty / bind9.git / commitdiff
