From 4f9a1b03dc6a84bbbaf0e395f5b5faa49ea47350 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Dec 2020 15:10:32 +1100 Subject: [PATCH 1/3] Add the ability to display the BADCOOKIE message in dig when +badcookie is in effect. --- bin/dig/dig.c | 19 +++++++++++++++---- bin/dig/dig.rst | 5 +++++ bin/dig/dighost.c | 7 +++++++ bin/dig/dighost.h | 6 +++--- doc/man/dig.1in | 5 +++++ 5 files changed, 35 insertions(+), 7 deletions(-) diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 7cec01aba1..0dad0153de 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -282,6 +282,7 @@ help(void) { "short\n" " form of answers - global " "option)\n" + " +[no]showbadcookie (Show BADCOOKIE message)\n" " +[no]showsearch (Search with intermediate " "results)\n" " +[no]split=## (Split hex/base64 fields " @@ -1795,10 +1796,20 @@ plus_option(char *option, bool is_batchfile, bool *need_clone, } break; case 'w': /* showsearch */ - FULLCHECK("showsearch"); - if (!lookup->trace) { - showsearch = state; - usesearch = state; + switch (cmd[4]) { + case 'b': + FULLCHECK("showbadcookie"); + lookup->showbadcookie = state; + break; + case 's': + FULLCHECK("showsearch"); + if (!lookup->trace) { + showsearch = state; + usesearch = state; + } + break; + default: + goto invalid_option; } break; default: diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst index 93c0b26c43..c447eb879d 100644 --- a/bin/dig/dig.rst +++ b/bin/dig/dig.rst @@ -503,6 +503,11 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to form. This option always has a global effect; it cannot be set globally and then overridden on a per-lookup basis. +``+[no]showbadcookie`` + This option toggles whether to show the message containing the + BADCOOKIE rcode before retrying the request or not. The default + is to not show the messages. + ``+[no]showsearch`` This option performs [or does not perform] a search showing intermediate results. diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index b6131e0831..14859ed74c 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -735,6 +735,8 @@ clone_lookup(dig_lookup_t *lookold, bool servers) { } looknew->https_get = lookold->https_get; looknew->http_plain = lookold->http_plain; + + looknew->showbadcookie = lookold->showbadcookie; looknew->sendcookie = lookold->sendcookie; looknew->seenbadcookie = lookold->seenbadcookie; looknew->badcookie = lookold->badcookie; @@ -3852,6 +3854,11 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region, { process_opt(l, msg); if (msg->cc_ok) { + if (l->showbadcookie) { + dighost_printmessage(query, &b, msg, true); + dighost_received(isc_buffer_usedlength(&b), + &peer, query); + } dighost_comments(l, "BADCOOKIE, retrying%s.", l->seenbadcookie ? " in TCP mode" : ""); diff --git a/bin/dig/dighost.h b/bin/dig/dighost.h index 8da437625b..c02e23d67c 100644 --- a/bin/dig/dighost.h +++ b/bin/dig/dighost.h @@ -120,9 +120,9 @@ struct dig_lookup { section_answer, section_authority, section_question, seenbadcookie, sendcookie, servfail_stops, setqid, /*% use a speciied query ID */ - stats, tcflag, tcp_keepalive, tcp_mode, tcp_mode_set, - tls_mode, /*% connect using TLS */ - trace, /*% dig +trace */ + showbadcookie, stats, tcflag, tcp_keepalive, tcp_mode, + tcp_mode_set, tls_mode, /*% connect using TLS */ + trace, /*% dig +trace */ trace_root, /*% initial query for either +trace or +nssearch */ ttlunits, use_usec, waiting_connect, zflag; char textname[MXNAME]; /*% Name we're going to be looking up */ diff --git a/doc/man/dig.1in b/doc/man/dig.1in index 10d7a44911..3d7b332857 100644 --- a/doc/man/dig.1in +++ b/doc/man/dig.1in @@ -515,6 +515,11 @@ This option toggles whether a terse answer is provided. The default is to print form. This option always has a global effect; it cannot be set globally and then overridden on a per\-lookup basis. .TP +.B \fB+[no]showbadcookie\fP +This option toggles whether to show the message containing the +BADCOOKIE rcode before retrying the request or not. The default +is to not show the messages. +.TP .B \fB+[no]showsearch\fP This option performs [or does not perform] a search showing intermediate results. .TP From 85a639f5fb16ff1cb2b1310e6963d75d92f43d05 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 17 Aug 2021 14:42:44 +1000 Subject: [PATCH 2/3] Test dig +showbadcookie --- bin/tests/system/cookie/tests.sh | 34 ++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh index 021b3d7566..93b1b44498 100755 --- a/bin/tests/system/cookie/tests.sh +++ b/bin/tests/system/cookie/tests.sh @@ -167,6 +167,40 @@ if [ $linecount != 2 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "checking +qr +showbadcookie ($n)" +ret=0 +$DIG $DIGOPTS +qr +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n +noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) +badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) +server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) +good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l) +linecount=`getcookie dig.out.test$n | wc -l` +if [ $noerror != 3 ]; then ret=1; fi +if [ $badcookie != 1 ]; then ret=1; fi +if [ $server != 3 ]; then ret=1; fi +if [ $good != 2 ]; then ret=1; fi +if [ $linecount != 4 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "checking +showbadcookie ($n)" +ret=0 +$DIG $DIGOPTS +cookie +showbadcookie soa @10.53.0.3 > dig.out.test$n +noerror=$(grep "status: NOERROR" dig.out.test$n | wc -l) +badcookie=$(grep "status: BADCOOKIE" dig.out.test$n | wc -l) +server=$(grep "COOKIE: ................................................" dig.out.test$n | wc -l) +good=$(grep "COOKIE: ................................................ (good)" dig.out.test$n | wc -l) +linecount=`getcookie dig.out.test$n | wc -l` +if [ $noerror != 1 ]; then ret=1; fi +if [ $badcookie != 1 ]; then ret=1; fi +if [ $server != 2 ]; then ret=1; fi +if [ $good != 2 ]; then ret=1; fi +if [ $linecount != 2 ]; then ret=1; fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo_i "checking require-server-cookie yes with rate-limit ($n)" ret=0 From e690b4dfadab0d0f9fddf6c159c0222a63ee6ed7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 17 Aug 2021 14:42:17 +1000 Subject: [PATCH 3/3] Add CHANGES for [GL #2319] --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index b8fa5e403e..951e3b68cc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5695. [func] Dig can now display the BADCOOKIE message as part of + processing it (+showbadcookie). [GL #2319] + 5694. [bug] BIND looks up the deepest zone cut in cache in order to iterate a query. When this node is stale, it may bypass QNAME minimization. This has been fixed.