Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie secret file #1090

Merged
merged 8 commits into from
Aug 2, 2024
Merged

Cookie secret file #1090

merged 8 commits into from
Aug 2, 2024

Conversation

wcawijngaards
Copy link
Member

This creates a new option to store the cookies in a file and manage them with remote control.

The cookie-secret-file: "unbound_cookiesecrets.txt" option can be used with the unbound-control add_cookie_secret, drop_cookie_secret, activate_cookie_secret and print_cookie_secrets commands. Code has been used from the NSD implementation of it.

This fixes #1088 .

@wcawijngaards wcawijngaards self-assigned this Jun 14, 2024
@gthess gthess added this to the 1.21.0 milestone Jun 26, 2024
gthess
gthess requested changes Aug 1, 2024
View reviewed changes
Copy link
Member

@gthess gthess left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!
Just a question about writing to file.
Some changes for the test and some documentation edits will follow in a PR; that's why the "request changes" status.

daemon/remote.c Show resolved Hide resolved
@gthess
Copy link
Member

gthess commented Aug 1, 2024

If the attached PR (#1116) is merged here, then a squash and merge of this back to master should do it.

@Playgirlkaybraz11 Playgirlkaybraz11 mentioned this pull request Aug 2, 2024
Closed
@wcawijngaards wcawijngaards merged commit ad21dbd into master Aug 2, 2024
1 check passed
wcawijngaards added a commit that referenced this pull request Aug 2, 2024
@wcawijngaards
Changelog note for #1090
3cbf554 
- Merge #1090: Cookie secret file. Adds
  `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store
  cookie secrets for EDNS COOKIE secret rollover. The remote control
  add_cookie_secret, activate_cookie_secret and drop_cookie_secret
  commands can be used for rollover, the command print_cookie_secrets
  shows the values in use.
@wcawijngaards
Copy link
Member Author

Thank you for the review! Added the changes and squashed and merged it into the repo.

@gthess gthess deleted the cookie-secret-file branch August 2, 2024 15:38
@vincejv vincejv mentioned this pull request Aug 11, 2024
Open
3 tasks
jedisct1 added a commit to jedisct1/unbound that referenced this pull request Aug 17, 2024
@jedisct1
Merge remote-tracking branch 'nlnet/master'
3857248 
* nlnet/master: (66 commits)
  - Tag for release 1.21.0, the repository continues with 1.21.1   in development.
  - Fix spelling for the cache-min-negative-ttl entry in the   example.conf.
  - Fix that for windows the module startup is called and sets up   the module-config.
  - Set version number to 1.21.0 for release.
  - Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,   Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv   University and Reichman University).
  - Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco   Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.
  - Fix that alloc stats for forwards and hints are printed, and when   alloc stats is enabled, the unit test for unbound control waits for   reloads to complete.
  Changelog note for NLnetLabs#1090 - Merge NLnetLabs#1090: Cookie secret file. Adds   `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store   cookie secrets for EDNS COOKIE secret rollover. The remote control   add_cookie_secret, activate_cookie_secret and drop_cookie_secret   commands can be used for rollover, the command print_cookie_secrets   shows the values in use.
  Cookie secret file (NLnetLabs#1090)
  Update changelog. - Fix testbound for alloc stats strdup in util/alloc.c.
  - Fix testbound for alloc stats strdup in util/alloc.c.
  - Fix that alloc stats has strdup checks, it stops debuggers from   complaining about mismatch at free time.
  - Fix that the worker mem report with alloc stats does not attempt   to print memory use of forwards and hints if they have been   deleted already.
  - Fix dnstap test program, cleans up to have clean memory on exit,   for tap_data_free, does not delete NULL items. Also it does not try   to free the tail, specifically in the free of the list since that   picked up the next item in the list for its loop causing invalid   free. Added internal unit test to unbound-dnstap-socket for that.
  - Fix for NLnetLabs#1114: Fix that cache fill for forward-host names is   performed, so that with nonzero target-fetch-policy it fetches   forwarder addresses and uses them from cache. Also updated that   delegation point cache fill routines use CDflag for AAAA message   lookups, so that its negative lookup stops a recursion since the   cache uses the bit for disambiguation for dns64 but the recursion   uses CDflag for the AAAA target lookups, so the check correctly   stops a useless recursion by its cache lookup.
  - Fix to document parameters of auth_zone_verify_zonemd_with_key.
  - Add root key 38696 from 2024 for DNSSEC validation. It is added   to the default root keys in unbound-anchor. The content can be   inspected with `unbound-anchor -l`.
  - For NLnetLabs#935 and NLnetLabs#1104, clarify RPZ order and semantics.
  - Cleanup ede.tdir test.
  - Fix link of unbound-dnstap-socket without openssl.
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gthess gthess gthess requested changes

Assignees

@wcawijngaards wcawijngaards

Labels
None yet
Projects
None yet
Milestone
1.21.0
Development

Successfully merging this pull request may close these issues.

RFC 9018 compliance (cookie secret rollover)
2 participants
@wcawijngaards @gthess