+4983. [cleanup] Remove the deprecated flag from "answer-cookie";
+ it will be allowed to persist into 9.13. [GL #275].
+
4982. [cleanup] Return FORMERR if the question section is empty
and no COOKIE option is present; this restores
older behavior except in the newly specified
options level, not per-view.
</para>
<para>
- <command>answer-cookie</command> is only available
- as a temporary measure, for use when
- <command>named</command> shares an IP address
- with other servers that do not yet support DNS
- COOKIE. A mismatch between servers on the same
- address is not expected to cause operational
- problems, but the option to disable COOKIE responses
- so that all servers have the same behavior is
- provided out of an abundance of caution. DNS COOKIE
- is an important security mechanism and should not be
- disabled unless absolutely necessary. The
- <command>answer-cookie</command> option is obsolete
- as of BIND 9.13.
+ <command>answer-cookie no</command> is only intended as a
+ temporary measure, for use when <command>named</command>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the
+ same address is not expected to cause operational
+ problems, but the option to disable COOKIE responses so
+ that all servers have the same behavior is provided out
+ of an abundance of caution. DNS COOKIE is an important
+ security mechanism, and should not be disabled unless
+ absolutely necessary.
</para>
</listitem>
</varlistentry>
<para>
Add the ability to not return a DNS COOKIE option when one
is present in the request. To prevent a cookie being returned
- add 'answer-cookie no;' to named.conf. [GL #173]
+ add <command>answer-cookie no;</command> to
+ <filename>named.conf</filename>. [GL #173]
</para>
<para>
- <command>answer-cookie</command> is only available as a
+ <command>answer-cookie no</command> is only intended as a
temporary measure, for use when <command>named</command>
shares an IP address with other servers that do not yet
support DNS COOKIE. A mismatch between servers on the
but the option to disable COOKIE responses so that all
servers have the same behavior is provided out of an
abundance of caution. DNS COOKIE is an important security
- mechanism and should not be disabled unless absolutely
- necessary. The <command>answer-cookie</command> option
- is obsolete as of BIND 9.13.
+ mechanism, and should not be disabled unless absolutely
+ necessary.
</para>
</listitem>
</itemizedlist>
*/
static cfg_clausedef_t
options_clauses[] = {
- { "answer-cookie", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
+ { "answer-cookie", &cfg_type_boolean, 0 },
{ "automatic-interface-scan", &cfg_type_boolean, 0 },
{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
projects / thirdparty / bind9.git / commitdiff
