Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage...

* Mention REFUSED with TC with unmatched allow_cookie acl in manpage

Also moved the part about bypassing ip-ratelimit to the ip-ratelimit
description as it will be bypassed with a valid DNS-Cookie regardless of the
allow_cookie acl.

* Apply suggestions from code review

* Update doc/unbound.conf.5.in

* DNS-Cookies should bypass ip-ratelimit setting

diff --git a/daemon/worker.c b/daemon/worker.c
index aeadf32d48d21db80f9d7f13c26342b726eefe30..b9ec7544b97971a32d390a9111fc24adf9924256 100644 (file)
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1327,15 +1327,6 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
                worker, repinfo, acladdr, ede, check_result);
 }
 
-/* Returns 1 if the ip rate limit check can happen before EDNS parsing,
- * else 0 */
-static int
-pre_edns_ip_ratelimit_check(enum acl_access acl)
-{
-       if(acl == acl_allow_cookie) return 0;
-       return 1;
-}
-
 /* Check if the query is blocked by source IP rate limiting.
  * Returns 1 if it passes the check, 0 otherwise. */
 static int
@@ -1499,7 +1490,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
        }
 
        worker->stats.num_queries++;
-       pre_edns_ip_ratelimit = pre_edns_ip_ratelimit_check(acl);
+       pre_edns_ip_ratelimit = !worker->env.cfg->do_answer_cookie
+               || sldns_buffer_limit(c->buffer) < LDNS_HEADER_SIZE
+               || LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) == 0;
 
        /* If the IP rate limiting check needs extra EDNS information (e.g.,
         * DNS Cookies) postpone the check until after EDNS is parsed. */

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 837e512fedfb89b4fdb0a65039d791d7596e67cd..84eddd941e816fef26924a72a870001f5bb81623 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -744,7 +744,7 @@ the cache contents (for malicious acts).  However, nonrecursive queries can
 also be a valuable debugging tool (when you want to examine the cache
 contents). In that case use \fIallow_snoop\fR for your administration host.
 .IP
-The \fIallow_cookie\fR action allows access to UDP queries that contain a
+The \fIallow_cookie\fR action allows access only to UDP queries that contain a
 valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the
 \fBanswer\-cookie\fR option is enabled.
 UDP queries containing only a DNS Client Cookie and no Server Cookie, or an
@@ -753,10 +753,8 @@ generated DNS Cookie, allowing clients to retry with that DNS Cookie.
 The \fIallow_cookie\fR action will also accept requests over stateful
 transports, regardless of the presence of an DNS Cookie and regardless of the
 \fBanswer\-cookie\fR setting.
-If \fBip\-ratelimit\fR is used, clients with a valid DNS Cookie will bypass the
-ratelimit.
-If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
-can be used instead.
+UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set,
+that may trigger fall back to TCP for those clients.
 .IP
 By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
@@ -1850,6 +1848,9 @@ The ratelimit is in queries per second that are allowed.  More queries are
 completely dropped and will not receive a reply, SERVFAIL or otherwise.
 IP ratelimiting happens before looking in the cache. This may be useful for
 mitigating amplification attacks.
+Clients with a valid DNS Cookie will bypass the ratelimit.
+If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
+can be used instead.
 Default is 0 (disabled).
 .TP 5
 .B ip\-ratelimit\-cookie: \fI<number or 0>