mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- For #762: Cleaner manpage text and uniform use of the term DNS
Cookies.
This commit is contained in:
parent
8580a74b37
commit
fbc0256825
@ -64,9 +64,11 @@ enum acl_access {
|
||||
acl_allow,
|
||||
/** allow full access for all queries, recursion and cache snooping */
|
||||
acl_allow_snoop,
|
||||
/** allow full access for recursion queries and set RD flag regardless of request */
|
||||
/** allow full access for recursion queries and set RD flag regardless
|
||||
* of request */
|
||||
acl_allow_setrd,
|
||||
/** allow full access if valid cookie present or stateful transport */
|
||||
/** allow full access for recursion (+RD) queries if valid cookie
|
||||
* present or stateful transport */
|
||||
acl_allow_cookie
|
||||
};
|
||||
|
||||
|
@ -686,15 +686,15 @@ The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIallow_cookie\fR,
|
||||
\fIdeny_non_local\fR or \fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
The most specific netblock match is used, if none match \fIrefuse\fR is used.
|
||||
The order of the access\-control statements therefore does not matter.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
The \fIdeny\fR action stops queries from hosts from that netblock.
|
||||
.IP
|
||||
The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
|
||||
The \fIrefuse\fR action stops queries too, but sends a DNS rcode REFUSED
|
||||
error message back.
|
||||
.IP
|
||||
The action \fIallow\fR gives access to clients from that netblock.
|
||||
The \fIallow\fR action gives access to clients from that netblock.
|
||||
It gives only access for recursion clients (which is
|
||||
what almost all clients need). Nonrecursive queries are refused.
|
||||
.IP
|
||||
@ -714,20 +714,22 @@ may be useful if another DNS server must forward requests for specific
|
||||
zones to a resolver DNS server, but only supports stub domains and
|
||||
sends queries to the resolver DNS server with the RD bit cleared.
|
||||
.IP
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
The \fIallow_snoop\fR action gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
to cache snooping, a technique to use nonrecursive queries to examine
|
||||
the cache contents (for malicious acts). However, nonrecursive queries can
|
||||
also be a valuable debugging tool (when you want to examine the cache
|
||||
contents). In that case use \fIallow_snoop\fR for your administration host.
|
||||
.IP
|
||||
When the \fBanswer\-cookie\fR option is enabled, the \fIallow_cookie\fR action
|
||||
will allow access to UDP queries that contain a valid Server Cookie as
|
||||
specified in RFC 7873 and RFC9018. UDP queries containing only a Client Cookie
|
||||
and no Server Cookie, will receive a BADCOOKIE response including a Server
|
||||
Cookie, allow clients to retry with that Server Cookie. The \fIallow_cookie\fR
|
||||
will also accept requests over statefull transports, regardless of the precence
|
||||
of a Cookie and regardless the \fBanswer\-cookie\fR setting.
|
||||
The \fIallow_cookie\fR action allows access to UDP queries that contain a
|
||||
valid DNS Cookie as specified in RFC 7873 and RFC 9018, when the
|
||||
\fBanswer\-cookie\fR option is enabled.
|
||||
UDP queries containing only a DNS Client Cookie and no Server Cookie, or an
|
||||
invalid DNS Cookie, will receive a BADCOOKIE response including a newly
|
||||
generated DNS Cookie, allowing clients to retry with that DNS Cookie.
|
||||
The \fIallow_cookie\fR action will also accept requests over stateful
|
||||
transports, regardless of the presence of an DNS Cookie and regardless of the
|
||||
\fBanswer\-cookie\fR setting.
|
||||
.IP
|
||||
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
@ -1844,14 +1846,17 @@ use the fastest specified number of servers with the fast\-server\-permil
|
||||
option, that turns this on or off. The default is to use the fastest 3 servers.
|
||||
.TP 5
|
||||
.B answer\-cookie: \fI<yes or no>
|
||||
Enable to answer to requests containig DNS Cookies as specified in RFC7873 and
|
||||
RFC9018. Default is no.
|
||||
If enabled, Unbound will answer to requests containing DNS Cookies as
|
||||
specified in RFC 7873 and RFC 9018.
|
||||
Default is no.
|
||||
.TP 5
|
||||
.B cookie\-secret: \fI<128 bit hex string>
|
||||
Server's in an Anycast deployment need to be able to verify each other's
|
||||
Server Cookies. For this they need to share the secret used to construct
|
||||
and verify the Server Cookies.
|
||||
Server's secret for DNS Cookie generation.
|
||||
Useful to explicitly set for servers in an anycast deployment that need to
|
||||
share the secret in order to verify each other's Server Cookies.
|
||||
An example hex string would be "000102030405060708090a0b0c0d0e0f".
|
||||
Default is a 128 bits random secret generated at startup time.
|
||||
.TP 5
|
||||
.B edns\-client\-string: \fI<IP netblock> <string>
|
||||
Include an EDNS0 option containing configured ascii string in queries with
|
||||
destination address matching the configured IP netblock. This configuration
|
||||
|
@ -954,7 +954,7 @@ extract_ede(uint8_t* pkt, size_t len)
|
||||
return sldns_read_uint16(buf);
|
||||
}
|
||||
|
||||
/** Snips the EDNS Cookie option out of the OPT record and puts it in the
|
||||
/** Snips the DNS Cookie option out of the OPT record and puts it in the
|
||||
* provided cookie buffer (should be at least 24 octets).
|
||||
* Returns the length of the cookie if found, else -1. */
|
||||
static int
|
||||
@ -1566,17 +1566,17 @@ find_match(struct entry* entries, uint8_t* query_pkt, size_t len,
|
||||
int cookie_len = extract_cookie(query_pkt, len,
|
||||
cookie);
|
||||
if(cookie_len == -1) {
|
||||
verbose(3, "bad EDNS Cookie. "
|
||||
verbose(3, "bad DNS Cookie. "
|
||||
"Expected but not found\n");
|
||||
continue;
|
||||
} else if(p->match_client_cookie &&
|
||||
cookie_len != 8) {
|
||||
verbose(3, "bad EDNS Cookie. Expected client "
|
||||
verbose(3, "bad DNS Cookie. Expected client "
|
||||
"cookie of length 8.");
|
||||
continue;
|
||||
} else if((p->match_server_cookie) &&
|
||||
cookie_len != 24) {
|
||||
verbose(3, "bad EDNS Cookie. Expected server "
|
||||
verbose(3, "bad DNS Cookie. Expected server "
|
||||
"cookie of length 24.");
|
||||
continue;
|
||||
}
|
||||
|
@ -64,13 +64,13 @@ struct sldns_file_parse_state;
|
||||
; 'ede=any' makes the query match any EDNS EDE info-code.
|
||||
; It also snips the EDE record out of the packet to facilitate
|
||||
; other matches.
|
||||
; 'client_cookie' makes the query match any EDNS Cookie option with
|
||||
; 'client_cookie' makes the query match any DNS Cookie option with
|
||||
; with a length of 8 octets.
|
||||
; It also snips the EDNS Cookie record out of the packet to
|
||||
; It also snips the DNS Cookie record out of the packet to
|
||||
; facilitate other matches.
|
||||
; 'server_cookie' makes the query match any EDNS Cookie option with
|
||||
; 'server_cookie' makes the query match any DNS Cookie option with
|
||||
; with a length of 24 octets.
|
||||
; It also snips the EDNS Cookie record out of the packet to
|
||||
; It also snips the DNS Cookie record out of the packet to
|
||||
; facilitate other matches.
|
||||
MATCH [opcode] [qtype] [qname] [serial=<value>] [all] [ttl]
|
||||
MATCH [UDP|TCP] DO
|
||||
@ -222,9 +222,9 @@ struct entry {
|
||||
uint8_t match_noedns;
|
||||
/** match edns data field given in hex */
|
||||
uint8_t match_ednsdata_raw;
|
||||
/** match an EDNS cookie of length 8 */
|
||||
/** match an DNS cookie of length 8 */
|
||||
uint8_t match_client_cookie;
|
||||
/** match an EDNS cookie of length 24 */
|
||||
/** match an DNS cookie of length 24 */
|
||||
uint8_t match_server_cookie;
|
||||
/** match query serial with this value. */
|
||||
uint32_t ixfr_soa_serial;
|
||||
|
@ -716,11 +716,11 @@ edns_cookie_rfc9018_a1(void)
|
||||
unit_assert(memcmp(server_cookie, buf, 24) == 0);
|
||||
}
|
||||
|
||||
/** test interoperable EDNS cookies (RFC9018) */
|
||||
/** test interoperable DNS cookies (RFC9018) */
|
||||
static void
|
||||
edns_cookie_test(void)
|
||||
{
|
||||
unit_show_feature("interoperable edns cookies");
|
||||
unit_show_feature("interoperable dns cookies");
|
||||
/* Check RFC9018 appendix test vectors */
|
||||
edns_cookie_rfc9018_a1();
|
||||
edns_cookie_rfc9018_a2();
|
||||
|
2
testdata/edns_downstream_cookies.rpl
vendored
2
testdata/edns_downstream_cookies.rpl
vendored
@ -8,7 +8,7 @@ server:
|
||||
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test downstream EDNS Cookies
|
||||
SCENARIO_BEGIN Test downstream DNS Cookies
|
||||
|
||||
; Note: When a valid hash was required, it was generated by running this test
|
||||
; with an invalid one and checking the output for the valid one.
|
||||
|
@ -89,7 +89,7 @@ struct config_parser_state* cfg_parser = 0;
|
||||
static void init_outgoing_availports(int* array, int num);
|
||||
|
||||
/** init cookie with random data */
|
||||
static void init_cookie_secret(uint8_t* cookie_secret,size_t cookie_secret_len);
|
||||
static void init_cookie_secret(uint8_t* cookie_secret, size_t cookie_secret_len);
|
||||
|
||||
struct config_file*
|
||||
config_create(void)
|
||||
|
@ -3722,8 +3722,8 @@ server_cookie_secret: VAR_COOKIE_SECRET STRING_ARG
|
||||
size_t secret_len = sizeof(secret);
|
||||
|
||||
OUTYY(("P(server_cookie_secret:%s)\n", $2));
|
||||
if (sldns_str2wire_hex_buf($2, secret, &secret_len)
|
||||
|| ( secret_len != 16))
|
||||
if(sldns_str2wire_hex_buf($2, secret, &secret_len)
|
||||
|| (secret_len != 16))
|
||||
yyerror("expected 128 bit hex string");
|
||||
else {
|
||||
cfg_parser->cfg->cookie_secret_len = secret_len;
|
||||
|
@ -107,7 +107,7 @@ edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
|
||||
socklen_t addrlen);
|
||||
|
||||
/**
|
||||
* Compute the interoperable EDNS cookie (RFC9018) hash.
|
||||
* Compute the interoperable DNS cookie (RFC9018) hash.
|
||||
* @param in: buffer input for the hash generation. It needs to be:
|
||||
* Client Cookie | Version | Reserved | Timestamp | Client-IP
|
||||
* @param secret: the server secret; implicit length of 16 octets.
|
||||
@ -119,7 +119,7 @@ uint8_t* edns_cookie_server_hash(const uint8_t* in, const uint8_t* secret,
|
||||
int v4, uint8_t* hash);
|
||||
|
||||
/**
|
||||
* Write an interoperable EDNS server cookie (RFC9018).
|
||||
* Write an interoperable DNS server cookie (RFC9018).
|
||||
* @param buf: buffer to write to. It should have a size of at least 32 octets
|
||||
* as it doubles as the output buffer and the hash input buffer.
|
||||
* The first 8 octets are expected to be the Client Cookie and will be
|
||||
@ -140,7 +140,7 @@ void edns_cookie_server_write(uint8_t* buf, const uint8_t* secret, int v4,
|
||||
uint32_t timestamp);
|
||||
|
||||
/**
|
||||
* Validate an interoperable EDNS cookie (RFC9018).
|
||||
* Validate an interoperable DNS cookie (RFC9018).
|
||||
* @param cookie: pointer to the cookie data.
|
||||
* @param cookie_len: the length of the cookie data.
|
||||
* @param secret: pointer to the server secret.
|
||||
|
Loading…
Reference in New Issue
Block a user