]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Updated CHANGES note to include require-server-cookie:
authorMark Andrews <marka@isc.org>
Wed, 12 Aug 2015 22:26:23 +0000 (08:26 +1000)
committerMark Andrews <marka@isc.org>
Wed, 12 Aug 2015 22:26:23 +0000 (08:26 +1000)
4152.   [func]          Implement DNS COOKIE option.  This replaces the
                        experimental SIT option of BIND 9.10.  The following
                        named.conf directives are available: send-cookie,
                        cookie-secret, cookie-algorithm, nocookie-udp-size
                        and require-server-cookie.  The following dig options
                        are available: +[no]cookie[=value] and +[no]badcookie.
                        [RT #39928]

13 files changed:
CHANGES
bin/named/config.c
bin/named/named.conf.docbook
bin/named/query.c
bin/named/server.c
bin/tests/system/cookie/ns3/named.conf [new file with mode: 0644]
bin/tests/system/cookie/ns3/root.hint [new file with mode: 0644]
bin/tests/system/cookie/tests.sh
doc/arm/Bv9ARM-book.xml
doc/arm/notes.xml
lib/dns/include/dns/view.h
lib/dns/view.c
lib/isccfg/namedconf.c

diff --git a/CHANGES b/CHANGES
index 96d96519fee5aceb90bef2d9d487dbb7d768aa43..3b54061009b2640a1d8e6f569be9d81cc5fb49ba 100644 (file)
--- a/CHANGES
+++ b/CHANGES
 4152.  [func]          Implement DNS COOKIE option.  This replaces the
                        experimental SIT option of BIND 9.10.  The following
                        named.conf directives are available: send-cookie,
-                       cookie-secret, cookie-algorithm and nocookie-udp-size.
-                       The following dig options are available:
-                       +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
+                       cookie-secret, cookie-algorithm, nocookie-udp-size
+                       and require-server-cookie.  The following dig options
+                       are available: +[no]cookie[=value] and +[no]badcookie.
+                       [RT #39928]
 
 4151.  [bug]           'rndc flush' could cause a deadlock. [RT #39835]
 
index d2a428aa05af9fbdf7f4b34cbeda3f669ff10ea8..728659360eaa2265347a76997f42ff6e289a89de 100644 (file)
@@ -183,6 +183,7 @@ options {\n\
        nsec3-test-zone no;\n\
        allow-new-zones no;\n\
        fetches-per-server 0;\n\
+       require-server-cookie no;\n\
 "
 #ifdef HAVE_GEOIP
 "\
index 78f692f633da3d63452edd7cea59b108093c86fd..9dbd74d5ee2773a62b3e8ec094218e417254c79c 100644 (file)
@@ -1,5 +1,5 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+              "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
               [<!ENTITY mdash "&#8212;">]>
 <!--
  - Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
@@ -133,7 +133,7 @@ server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable>
     <title>TRUSTED-KEYS</title>
     <literallayout>
 trusted-keys {
-       <replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
+       <replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
 };
 </literallayout>
   </refsect1>
@@ -142,7 +142,7 @@ trusted-keys {
     <title>MANAGED-KEYS</title>
     <literallayout>
 managed-keys {
-       <replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
+       <replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
 };
 </literallayout>
   </refsect1>
@@ -300,9 +300,9 @@ options {
        dns64-server <replaceable>string</replaceable>;
        dns64-contact <replaceable>string</replaceable>;
        dns64 <replaceable>prefix</replaceable> {
-               clients { <replacable>acl</replacable>; };
-               exclude { <replacable>acl</replacable>; };
-               mapped { <replacable>acl</replacable>; };
+               clients { <replaceable>acl</replaceable>; };
+               exclude { <replaceable>acl</replaceable>; };
+               mapped { <replaceable>acl</replaceable>; };
                break-dnssec <replaceable>boolean</replaceable>;
                recursive-only <replaceable>boolean</replaceable>;
                suffix <replaceable>ipv6_address</replaceable>;
@@ -378,6 +378,13 @@ options {
        zero-no-soa-ttl <replaceable>boolean</replaceable>;
        zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
        dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
+
+       cookie-algorithm ( <replaceable>aes</replaceable> | <replaceable>sha1</replaceable> | <replaceable>sha256</replaceable> );
+       cookie-secret <replaceable>string</replaceable>;
+       require-server-cookie <replaceable>boolean</replaceable>;
+       send-cookie <replaceable>boolean</replaceable>;
+       nocookie-udp-size <replaceable>integer</replaceable>;
+
        deny-answer-addresses {
                <replaceable>address_match_list</replaceable>
        } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
@@ -489,9 +496,9 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
        dns64-server <replaceable>string</replaceable>;
        dns64-contact <replaceable>string</replaceable>;
        dns64 <replaceable>prefix</replaceable> {
-               clients { <replacable>acl</replacable>; };
-               exclude { <replacable>acl</replacable>; };
-               mapped { <replacable>acl</replacable>; };
+               clients { <replaceable>acl</replaceable>; };
+               exclude { <replaceable>acl</replaceable>; };
+               mapped { <replaceable>acl</replaceable>; };
                break-dnssec <replaceable>boolean</replaceable>;
                recursive-only <replaceable>boolean</replaceable>;
                suffix <replaceable>ipv6_address</replaceable>;
@@ -561,6 +568,10 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
        zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
        dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 
+       require-server-cookie <replaceable>boolean</replaceable>;
+       send-cookie <replaceable>boolean</replaceable>;
+       nocookie-udp-size <replaceable>integer</replaceable>;
+
        allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
        fetch-glue <replaceable>boolean</replaceable>; // obsolete
        maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
@@ -604,7 +615,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
        update-policy <replaceable>local</replaceable> | <replaceable> {
                ( grant | deny ) <replaceable>string</replaceable>
                ( name | subdomain | wildcard | self | selfsub | selfwild |
-                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |
+                 krb5-self | ms-self | krb5-subdomain | ms-subdomain |
                  tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
                <replaceable>rrtypelist</replaceable>;
                <optional>...</optional>
@@ -676,13 +687,13 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
   <refsect1>
     <title>SEE ALSO</title>
     <para><citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+       <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
+       <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+       <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
index 1a90351d4ed0bf5046aef5483509b8459fe03fa0..cfd414fd4663ccd4031de2f99246573b84fb212b 100644 (file)
@@ -6973,7 +6973,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
                                goto cleanup;
                        }
                }
-       } else if (!TCP(client) && WANTCOOKIE(client) && !HAVECOOKIE(client)) {
+       } else if (!TCP(client) && client->view->requireservercookie &&
+                  WANTCOOKIE(client) && !HAVECOOKIE(client)) {
                client->message->rcode = dns_rcode_badcookie;
                goto cleanup;
        }
index a6a2c15470616437b17bf277e65ec98bb5dcf0fa..1a25531df354f6f0593bfb86e5aa3e3c9b9c80e5 100644 (file)
@@ -3531,6 +3531,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
        INSIST(result == ISC_R_SUCCESS);
        view->sendcookie = cfg_obj_asboolean(obj);
 
+       obj = NULL;
+       result = ns_config_get(maps, "require-server-cookie", &obj);
+       INSIST(result == ISC_R_SUCCESS);
+       view->requireservercookie = cfg_obj_asboolean(obj);
+
        obj = NULL;
        result = ns_config_get(maps, "max-clients-per-query", &obj);
        INSIST(result == ISC_R_SUCCESS);
diff --git a/bin/tests/system/cookie/ns3/named.conf b/bin/tests/system/cookie/ns3/named.conf
new file mode 100644 (file)
index 0000000..79251f2
--- /dev/null
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm hmac-sha256;
+};
+
+controls {
+       inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
+options {
+       query-source address 10.53.0.3 dscp 1;
+       notify-source 10.53.0.3 dscp 2;
+       transfer-source 10.53.0.3 dscp 3;
+       port 5300;
+       pid-file "named.pid";
+       listen-on { 10.53.0.3; };
+       listen-on-v6 { none; };
+       recursion yes;
+       acache-enable yes;
+       deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
+                except-from { "example.org"; };
+       deny-answer-aliases { "example.org"; }
+               except-from { "goodcname.example.net";
+                             "gooddname.example.net"; };
+       allow-query {!10.53.0.8; any; };
+       send-cookie yes;
+       nocookie-udp-size 512;
+       require-server-cookie yes;
+};
+
+zone "." {
+       type hint;
+       file "root.hint";
+};
+
+zone "example" {
+       type master;
+       file "example.db";
+};
diff --git a/bin/tests/system/cookie/ns3/root.hint b/bin/tests/system/cookie/ns3/root.hint
new file mode 100644 (file)
index 0000000..e1bd334
--- /dev/null
@@ -0,0 +1,19 @@
+; Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.hint,v 1.7 2007/06/19 23:47:05 tbox Exp $
+
+$TTL 999999
+.                       IN NS  a.root-servers.nil.
+a.root-servers.nil.     IN A   10.53.0.2
index 66a09ff42a18f10952694d8422806818cedc27a2..cea0a76a86df4b99c15e4b50d51acb166361241c 100755 (executable)
@@ -113,5 +113,26 @@ grep "10.53.0.2.*\[cookie=" ns1/named_dump.db > /dev/null|| ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:checking require-server-cookie default (no) ($n)"
+ret=0
+$DIG +qr +cookie +nobadcookie soa @10.53.0.1 -p 5300 > dig.out.test$n
+grep BADCOOKIE dig.out.test$n > /dev/null && ret=1
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking require-server-cookie yes ($n)"
+ret=0
+$DIG +qr +cookie +nobadcookie soa @10.53.0.3 -p 5300 > dig.out.test$n
+grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+
 echo "I:exit status: $status"
 exit $status
index 94d6c12681ff380781374c4c38215dcd91ccab41..62afeccbdce68c102b4cce555497b2c5567b8f94 100644 (file)
@@ -4807,6 +4807,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
     <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
     <optional> send-cookie <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> require-server-cookie <replaceable>yes_or_no</replaceable>; </optional>
     <optional> cookie-algorithm <replaceable>secret_string</replaceable>; </optional>
     <optional> cookie-secret <replaceable>secret_string</replaceable>; </optional>
     <optional> request-nsid <replaceable>yes_or_no</replaceable>; </optional>
@@ -6464,12 +6465,22 @@ options {
            </varlistentry>
 
            <varlistentry>
-              <term><command>request-sit</command></term>
+             <term><command>request-sit</command></term>
              <para>
                This experimental option is obsolete.
              </para>
            </varlistentry>
 
+           <varlistentry>
+             <term><command>require-server-cookie</command></term>
+             <para>
+               Require a valid server cookie before sending a full
+               response to a UDP request from a cookie aware client.
+               BADCOOKIE is sent if there is a bad or no existent
+               server cookie.
+             </para>
+           </varlistentry>
+
            <varlistentry>
              <term><command>send-cookie</command></term>
              <listitem>
@@ -6498,7 +6509,7 @@ options {
              <listitem>
                <para>
                  This experimental option is obsolete.
-               </para>
+               </para>
              </listitem>
            </varlistentry>
 
@@ -8402,16 +8413,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                  will not be accepted, and for each incoming request
                  a previous pending request will also be dropped.
                </para>
-                <para>
-                  A "soft quota" is also set.  When this lower
+               <para>
+                 A "soft quota" is also set.  When this lower
                  quota is exceeded, incoming requests are accepted, but
                  for each one, a pending request will be dropped.
-                  If <option>recursive-clients</option> is greater than
-                  1000, the soft quota is set to
-                  <option>recursive-clients</option> minus 100;
-                  otherwise it is set to 90% of
-                  <option>recursive-clients</option>.
-                </para>
+                 If <option>recursive-clients</option> is greater than
+                 1000, the soft quota is set to
+                 <option>recursive-clients</option> minus 100;
+                 otherwise it is set to 90% of
+                 <option>recursive-clients</option>.
+               </para>
              </listitem>
            </varlistentry>
 
@@ -8520,13 +8531,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
              <listitem>
                <para>
                  The maximum number of simultaneous iterative
-                  queries that the server will allow to be sent to
-                  a single upstream name server before blocking
-                  additional queries.
+                 queries that the server will allow to be sent to
+                 a single upstream name server before blocking
+                 additional queries.
                  This value should reflect how many fetches would
                  normally be sent to any one server in the time it
                  would take to resolve them.  It should be smaller
-                  than <option>recursive-clients</option>.
+                 than <option>recursive-clients</option>.
                </para>
                <para>
                  Optionally, this value may be followed by the keyword
@@ -11191,7 +11202,7 @@ example.com                 CNAME   rpz-tcp-only.
                  >http://127.0.0.1:8888/json/v1/tasks</ulink>
          (task manager statistics), and
          <ulink url="http://127.0.0.1:8888/json/v1/traffic"
-                 >http://127.0.0.1:8888/json/v1/traffic</ulink>
+                 >http://127.0.0.1:8888/json/v1/traffic</ulink>
          (traffic sizes).
        </para>
       </sect2>
index 7d7a62080e8ff6cff421976c417d50149b7866ef..ef8984a7a68b662ddfa687a85269d94e8ead3e86 100644 (file)
@@ -50,7 +50,7 @@
          when parsing certain malformed DNSSEC keys.
        </para>
        <para>
-         This flaw was discovered by Hanno B&ouml;ck of the Fuzzing
+         This flaw was discovered by Hanno B&#x96;ck of the Fuzzing
          Project, and is disclosed in CVE-2015-5722. [RT #40212]
        </para>
       </listitem>
       <listitem>
        <para>
          The experimental SIT option (code point 65001) of BIND
-         9.10.0 through BIND 9.10.2 has be replace the COOKIE
-         option (code point 10) and is no longer experimental and
-         is sent by default.
+         9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
+         option (code point 10). It is no longer experimental, and
+         is sent by default, by both <command>named</command> and
+         <command>dig</command>.
        </para>
        <para>
-         The SIT related named.conf options have been marked as
-         obsolete and are otherwise ignored.
+         The SIT-related named.conf options have been marked as
+         obsolete, and are otherwise ignored.
        </para>
       </listitem>
       <listitem>
        <para>
-         When retrying a query via TCP due to the first answer
-         being truncated, <command>dig</command> will now correctly
-         send the Server COOKIE returned by the server in the prior
-         response. [RT #39047]
+         When <command>dig</command> receives a truncated (TC=1)
+         response or a BADCOOKIE response code from a server, it
+         will automatically retry the query using the server COOKIE
+         that was returned by the server in its initial response.
+         [RT #39047]
        </para>
       </listitem>
       <listitem>
index 4003eae1fea460684773293b4375ae539e526bab..04126e95a2dae8471c1e8ae559027a85a75186f4 100644 (file)
@@ -127,6 +127,7 @@ struct dns_view {
        isc_boolean_t                   enablednssec;
        isc_boolean_t                   enablevalidation;
        isc_boolean_t                   acceptexpired;
+       isc_boolean_t                   requireservercookie;
        dns_transfer_format_t           transfer_format;
        dns_acl_t *                     cacheacl;
        dns_acl_t *                     cacheonacl;
index 4660211bcbe539c26e45b93e28d389f3fc44b3bb..6220c7d32157858ad724704fc5cb4afc4cc17667 100644 (file)
@@ -234,6 +234,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
        dns_fixedname_init(&view->redirectfixed);
        view->requestnsid = ISC_FALSE;
        view->sendcookie = ISC_TRUE;
+       view->requireservercookie = ISC_FALSE;
        view->new_zone_file = NULL;
        view->new_zone_config = NULL;
        view->cfg_destroy = NULL;
index a680619e5d8496f1237fe779260865c49bf128ce..12830e0c6a1b7a3eb25a9c1bd476233f0280a783 100644 (file)
@@ -1602,6 +1602,7 @@ view_clauses[] = {
        { "recursion", &cfg_type_boolean, 0 },
        { "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
        { "request-nsid", &cfg_type_boolean, 0 },
+       { "require-server-cookie", &cfg_type_boolean, 0 },
        { "resolver-query-timeout", &cfg_type_uint32, 0 },
        { "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
        { "root-delegation-only",  &cfg_type_optional_exclude, 0 },