Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Downstream DNS Server Cookies a la RFC7873 and RFC9018 #762

Merged
merged 25 commits into from Aug 17, 2023
Merged

Downstream DNS Server Cookies a la RFC7873 and RFC9018 #762

merged 25 commits into from Aug 17, 2023

Conversation

wtoorop
Copy link
Member

@wtoorop wtoorop commented Sep 28, 2022
edited

Create server cookies for clients that send client cookies.
This needs to be explicitly turned on in the config file with:

	answer-cookie: yes

A cookie-secret: can be configured for anycast setups. Without one, a random cookie secret is generated.

This PR also adds an access control list policy allow_cookie that allows queries with either a valid cookie or over a stateful transport.

  • TODO: Rolling cookie-secrets

This PR replaces #322

@wtoorop
extended_error_encode() for extended errors
71f23ef
@wtoorop
Downstream DNS Cookies a la RFC7873 and RFC9018
75f3fbd 
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:

	answer-cookie: yes

A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
@wtoorop
The generated lexer and parser sources for configuring cookies
bd2c202
@wtoorop wtoorop mentioned this pull request Sep 28, 2022
Closed
@gthess gthess added this to the 1.18.0 milestone Mar 17, 2023
gthess added 18 commits June 14, 2023 16:41
@gthess
- For #762: fix compiler C90 warning.
b02f9be
@gthess
- For #762: More generic integration for siphash.c
1cd75cc
@gthess
- For #762: relocate edns_opt_list_append_keepalive.
47cf44c
@gthess
- For #762: please doxygen.
f1537e2
@gthess
- For #762: relocate RFC 1982 serial number arithmetic functions to t…
5b55a46 
…heir own

  file in util/rfc_1982.[ch].
@gthess
- For #762: Ignore util/siphash.c for the 01-doc test.
00a08be
@gthess
- For #762: remove relocated code.
6e47c1e
@gthess
- For #762: relocate EDNS cookie code to util/edns and introduce unit
702f485 
  tests.
@gthess
- For #762: Formatting.
b6e2f4d
@gthess
- For #762: Introduce rpl testing for DNS Cookies.
8580a74
@gthess
- For #762: Cleaner manpage text and uniform use of the term DNS
fbc0256 
  Cookies.
@gthess
- For #762: remove uneeded include.
9025be8
@gthess
Merge branch 'master' into features/downstream-cookies
4ccb613
@gthess
- For #762: annotate case statement fallthrough for gcc.
025d810
@gthess
- For #762: Remove re-introduced files from merge (configlexer.c, con…
02ac374 
…figparser.c, configparser.h).
@gthess
- For #762: Silence maybe-uninitialized compiler warning.
81e2198
@gthess
- For #762: Interaction between DNS Cookies and source IP ratelimiting
49e4258 
  by allowing Cookies to bypass the ratelimit, but still allowing
  ratelimit to valid DNS Cookie clients via the new
  ip-ratelimit-cookie option.
@gthess
- For #762: Introduce stat counters for downstream DNS Cookies per
bab5ad6 
  thread and total: num.queries_cookie_valid, num.queries_cookie_client,
  num.queries.cookie_invalid.
@gthess gthess removed request for TCY16 and gthess August 8, 2023 13:49
@gthess gthess self-assigned this Aug 8, 2023
@gthess
Copy link
Member

gthess commented Aug 8, 2023

@wcawijngaards, with the recent changes for refactoring, unit/rpl/tdir tests, cookie/ip_ratelimiting interaction and new stat counters for queries with cookies, I believe this is ready for merging after your final review :)

@wcawijngaards
- Fix possibly unaligned memory access.
2b1028b
@wcawijngaards
- Fix possibly unaligned memory access.
b1c707e
@wcawijngaards
- Fix out of bounds read in parse_edns_options_from_query, it would read
1c85901 
  8 bytes after a client option of length 8, and then ignore them to
  recreate a 24 byte response. The fixup does not read out of bounds,
  and puts zeroes in the buffer at that point, that then are ignored.
wcawijngaards
wcawijngaards approved these changes Aug 16, 2023
View reviewed changes
Copy link
Member

@wcawijngaards wcawijngaards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the code and committed couple of fixes. Nice to have the additional feature.

@wcawijngaards wcawijngaards merged commit a1c82ac into master Aug 17, 2023
1 check passed
wcawijngaards added a commit that referenced this pull request Aug 17, 2023
@wcawijngaards
Changelog note for #762.
0f5fecd 
- Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
  RFC9018. Create server cookies for clients that send client cookies.
  This needs to be explicitly turned on in the config file with:
  `answer-cookie: yes`. A `cookie-secret:` can be configured for
  anycast setups. Without one, a random cookie secret is generated.
  The acl option `allow_cookie` allows queries with either a valid
  cookie or over a stateful transport. The statistics output has
  `queries_cookie_valid` and `queries_cookie_client` and
  `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
  value determines a rate limit for queries with cookies, if desired.
@gthess gthess deleted the features/downstream-cookies branch October 2, 2023 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wcawijngaards wcawijngaards wcawijngaards approved these changes

Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
1.18.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wtoorop @gthess @wcawijngaards