Hi Florian,
Great stuff!
Applied both patches and NSD has been running without crashing since
20:47 CEST.
Oct 20 20:47:19 name2 nsd[62305]: nsd starting (NSD 4.3.8)
Oct 20 20:47:19 name2 nsd[37128]: nsd started (NSD 4.3.8), pid 31864
Oct 20 20:47:30 name2 /bsd: carp24: state transition: BACKUP -> MASTER
Oct 20 20:47:46 name2 /bsd: carp23: state transition: BACKUP -> MASTER
Thanx a lot for the quick patches!!
Mischa
On 2021-10-20 18:27, Florian Obser wrote:
On 2021-10-20 18:24 +02, Florian Obser <[email protected]> wrote:
+4.3.8
+================
+FEATURES:
+ - Set default for answer-cookie to no. Because in server deployments
+ with mixed server software, a default of yes causes issues.
sthen and me think that we shouldn't flip-flop between cookie on and
cookie off since we shipped the cookie on default in 7.0.
This is on top of the 4.3.8 diff and reverts that behaviour to cookie
on
as we have in 7.0.
OK?
diff --git nsd.conf.5.in nsd.conf.5.in
index 4ee4b1292f9..9ae376f288c 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -494,7 +494,7 @@ With the value 0 the rate is unlimited.
.TP
.B answer\-cookie:\fR <yes or no>
Enable to answer to requests containig DNS Cookies as specified in
RFC7873.
-Default is no.
+Default is yes.
.TP
.B cookie\-secret:\fR <128 bit hex string>
Servers in an anycast deployment need to be able to verify each
other's DNS
diff --git options.c options.c
index 6411959e8c6..d8fe022b412 100644
--- options.c
+++ options.c
@@ -131,7 +131,7 @@ nsd_options_create(region_type* region)
opt->tls_service_pem = NULL;
opt->tls_port = TLS_PORT;
opt->tls_cert_bundle = NULL;
- opt->answer_cookie = 0;
+ opt->answer_cookie = 1;
opt->cookie_secret = NULL;
opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
opt->control_enable = 0;
