4152. [func] Implement DNS COOKIE option. This replaces the
experimental SIT option of BIND 9.10. The following
named.conf directives are available: send-cookie,
- cookie-secret, cookie-algorithm and nocookie-udp-size.
- The following dig options are available:
- +[no]cookie[=value] and +[no]badcookie. [RT #39928]
+ cookie-secret, cookie-algorithm, nocookie-udp-size
+ and require-server-cookie. The following dig options
+ are available: +[no]cookie[=value] and +[no]badcookie.
+ [RT #39928]
4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835]
nsec3-test-zone no;\n\
allow-new-zones no;\n\
fetches-per-server 0;\n\
+ require-server-cookie no;\n\
"
#ifdef HAVE_GEOIP
"\
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "—">]>
<!--
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
<title>TRUSTED-KEYS</title>
<literallayout>
trusted-keys {
- <replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
+ <replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
};
</literallayout>
</refsect1>
<title>MANAGED-KEYS</title>
<literallayout>
managed-keys {
- <replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
+ <replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
};
</literallayout>
</refsect1>
dns64-server <replaceable>string</replaceable>;
dns64-contact <replaceable>string</replaceable>;
dns64 <replaceable>prefix</replaceable> {
- clients { <replacable>acl</replacable>; };
- exclude { <replacable>acl</replacable>; };
- mapped { <replacable>acl</replacable>; };
+ clients { <replaceable>acl</replaceable>; };
+ exclude { <replaceable>acl</replaceable>; };
+ mapped { <replaceable>acl</replaceable>; };
break-dnssec <replaceable>boolean</replaceable>;
recursive-only <replaceable>boolean</replaceable>;
suffix <replaceable>ipv6_address</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
+
+ cookie-algorithm ( <replaceable>aes</replaceable> | <replaceable>sha1</replaceable> | <replaceable>sha256</replaceable> );
+ cookie-secret <replaceable>string</replaceable>;
+ require-server-cookie <replaceable>boolean</replaceable>;
+ send-cookie <replaceable>boolean</replaceable>;
+ nocookie-udp-size <replaceable>integer</replaceable>;
+
deny-answer-addresses {
<replaceable>address_match_list</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
dns64-server <replaceable>string</replaceable>;
dns64-contact <replaceable>string</replaceable>;
dns64 <replaceable>prefix</replaceable> {
- clients { <replacable>acl</replacable>; };
- exclude { <replacable>acl</replacable>; };
- mapped { <replacable>acl</replacable>; };
+ clients { <replaceable>acl</replaceable>; };
+ exclude { <replaceable>acl</replaceable>; };
+ mapped { <replaceable>acl</replaceable>; };
break-dnssec <replaceable>boolean</replaceable>;
recursive-only <replaceable>boolean</replaceable>;
suffix <replaceable>ipv6_address</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
+ require-server-cookie <replaceable>boolean</replaceable>;
+ send-cookie <replaceable>boolean</replaceable>;
+ nocookie-udp-size <replaceable>integer</replaceable>;
+
allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
fetch-glue <replaceable>boolean</replaceable>; // obsolete
maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
update-policy <replaceable>local</replaceable> | <replaceable> {
( grant | deny ) <replaceable>string</replaceable>
( name | subdomain | wildcard | self | selfsub | selfwild |
- krb5-self | ms-self | krb5-subdomain | ms-subdomain |
+ krb5-self | ms-self | krb5-subdomain | ms-subdomain |
tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
<replaceable>rrtypelist</replaceable>;
<optional>...</optional>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
- <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+ <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
- <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
+ <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
- <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+ <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
goto cleanup;
}
}
- } else if (!TCP(client) && WANTCOOKIE(client) && !HAVECOOKIE(client)) {
+ } else if (!TCP(client) && client->view->requireservercookie &&
+ WANTCOOKIE(client) && !HAVECOOKIE(client)) {
client->message->rcode = dns_rcode_badcookie;
goto cleanup;
}
INSIST(result == ISC_R_SUCCESS);
view->sendcookie = cfg_obj_asboolean(obj);
+ obj = NULL;
+ result = ns_config_get(maps, "require-server-cookie", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ view->requireservercookie = cfg_obj_asboolean(obj);
+
obj = NULL;
result = ns_config_get(maps, "max-clients-per-query", &obj);
INSIST(result == ISC_R_SUCCESS);
--- /dev/null
+/*
+ * Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.3 dscp 1;
+ notify-source 10.53.0.3 dscp 2;
+ transfer-source 10.53.0.3 dscp 3;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion yes;
+ acache-enable yes;
+ deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
+ except-from { "example.org"; };
+ deny-answer-aliases { "example.org"; }
+ except-from { "goodcname.example.net";
+ "gooddname.example.net"; };
+ allow-query {!10.53.0.8; any; };
+ send-cookie yes;
+ nocookie-udp-size 512;
+ require-server-cookie yes;
+};
+
+zone "." {
+ type hint;
+ file "root.hint";
+};
+
+zone "example" {
+ type master;
+ file "example.db";
+};
--- /dev/null
+; Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.hint,v 1.7 2007/06/19 23:47:05 tbox Exp $
+
+$TTL 999999
+. IN NS a.root-servers.nil.
+a.root-servers.nil. IN A 10.53.0.2
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I:checking require-server-cookie default (no) ($n)"
+ret=0
+$DIG +qr +cookie +nobadcookie soa @10.53.0.1 -p 5300 > dig.out.test$n
+grep BADCOOKIE dig.out.test$n > /dev/null && ret=1
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking require-server-cookie yes ($n)"
+ret=0
+$DIG +qr +cookie +nobadcookie soa @10.53.0.3 -p 5300 > dig.out.test$n
+grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+
echo "I:exit status: $status"
exit $status
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
<optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
<optional> send-cookie <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> require-server-cookie <replaceable>yes_or_no</replaceable>; </optional>
<optional> cookie-algorithm <replaceable>secret_string</replaceable>; </optional>
<optional> cookie-secret <replaceable>secret_string</replaceable>; </optional>
<optional> request-nsid <replaceable>yes_or_no</replaceable>; </optional>
</varlistentry>
<varlistentry>
- <term><command>request-sit</command></term>
+ <term><command>request-sit</command></term>
<para>
This experimental option is obsolete.
</para>
</varlistentry>
+ <varlistentry>
+ <term><command>require-server-cookie</command></term>
+ <para>
+ Require a valid server cookie before sending a full
+ response to a UDP request from a cookie aware client.
+ BADCOOKIE is sent if there is a bad or no existent
+ server cookie.
+ </para>
+ </varlistentry>
+
<varlistentry>
<term><command>send-cookie</command></term>
<listitem>
<listitem>
<para>
This experimental option is obsolete.
- </para>
+ </para>
</listitem>
</varlistentry>
will not be accepted, and for each incoming request
a previous pending request will also be dropped.
</para>
- <para>
- A "soft quota" is also set. When this lower
+ <para>
+ A "soft quota" is also set. When this lower
quota is exceeded, incoming requests are accepted, but
for each one, a pending request will be dropped.
- If <option>recursive-clients</option> is greater than
- 1000, the soft quota is set to
- <option>recursive-clients</option> minus 100;
- otherwise it is set to 90% of
- <option>recursive-clients</option>.
- </para>
+ If <option>recursive-clients</option> is greater than
+ 1000, the soft quota is set to
+ <option>recursive-clients</option> minus 100;
+ otherwise it is set to 90% of
+ <option>recursive-clients</option>.
+ </para>
</listitem>
</varlistentry>
<listitem>
<para>
The maximum number of simultaneous iterative
- queries that the server will allow to be sent to
- a single upstream name server before blocking
- additional queries.
+ queries that the server will allow to be sent to
+ a single upstream name server before blocking
+ additional queries.
This value should reflect how many fetches would
normally be sent to any one server in the time it
would take to resolve them. It should be smaller
- than <option>recursive-clients</option>.
+ than <option>recursive-clients</option>.
</para>
<para>
Optionally, this value may be followed by the keyword
>http://127.0.0.1:8888/json/v1/tasks</ulink>
(task manager statistics), and
<ulink url="http://127.0.0.1:8888/json/v1/traffic"
- >http://127.0.0.1:8888/json/v1/traffic</ulink>
+ >http://127.0.0.1:8888/json/v1/traffic</ulink>
(traffic sizes).
</para>
</sect2>
when parsing certain malformed DNSSEC keys.
</para>
<para>
- This flaw was discovered by Hanno Böck of the Fuzzing
+ This flaw was discovered by Hanno B–ck of the Fuzzing
Project, and is disclosed in CVE-2015-5722. [RT #40212]
</para>
</listitem>
<listitem>
<para>
The experimental SIT option (code point 65001) of BIND
- 9.10.0 through BIND 9.10.2 has be replace the COOKIE
- option (code point 10) and is no longer experimental and
- is sent by default.
+ 9.10.0 through BIND 9.10.2 has been replaced with the COOKIE
+ option (code point 10). It is no longer experimental, and
+ is sent by default, by both <command>named</command> and
+ <command>dig</command>.
</para>
<para>
- The SIT related named.conf options have been marked as
- obsolete and are otherwise ignored.
+ The SIT-related named.conf options have been marked as
+ obsolete, and are otherwise ignored.
</para>
</listitem>
<listitem>
<para>
- When retrying a query via TCP due to the first answer
- being truncated, <command>dig</command> will now correctly
- send the Server COOKIE returned by the server in the prior
- response. [RT #39047]
+ When <command>dig</command> receives a truncated (TC=1)
+ response or a BADCOOKIE response code from a server, it
+ will automatically retry the query using the server COOKIE
+ that was returned by the server in its initial response.
+ [RT #39047]
</para>
</listitem>
<listitem>
isc_boolean_t enablednssec;
isc_boolean_t enablevalidation;
isc_boolean_t acceptexpired;
+ isc_boolean_t requireservercookie;
dns_transfer_format_t transfer_format;
dns_acl_t * cacheacl;
dns_acl_t * cacheonacl;
dns_fixedname_init(&view->redirectfixed);
view->requestnsid = ISC_FALSE;
view->sendcookie = ISC_TRUE;
+ view->requireservercookie = ISC_FALSE;
view->new_zone_file = NULL;
view->new_zone_config = NULL;
view->cfg_destroy = NULL;
{ "recursion", &cfg_type_boolean, 0 },
{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "request-nsid", &cfg_type_boolean, 0 },
+ { "require-server-cookie", &cfg_type_boolean, 0 },
{ "resolver-query-timeout", &cfg_type_uint32, 0 },
{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
{ "root-delegation-only", &cfg_type_optional_exclude, 0 },