Message-ID: <47f2035d-c3d9-cb05-5fa9-e719e322fa5a@isc.org>
X-RT-Original-Encoding: utf-8
X-RT-Incoming-Encryption: Not encrypted
In-Reply-To: <rt-4.4.1-81040-1516316800-1524.46966-4-0@isc.org>
Date: Fri, 19 Jan 2018 07:36:42 +0000
To: bind9-public@isc.org
References: <RT-Ticket-46966@isc.org> <20180108182629.GA16112@jurassic> <rt-4.4.1-128-1516060551-0.46966-5-0@isc.org> <20180118035440.GA29430@jurassic> <rt-4.4.1-80612-1516247697-1741.46966-4-0@isc.org> <rt-4.4.1-76942-1516265345-204.46966-4-0@isc.org> <A8A1237E-4E78-4081-9EC7-6494C0DBA9AC@isc.org> <rt-4.4.1-81040-1516316800-1524.46966-4-0@isc.org>
Content-Language: en-US
Return-Path: <ray@isc.org>
Delivered-To: bind9-public@bugs.isc.org
Subject: Re: [ISC-Bugs #46966] Don't re-use nonce when processing multiple rndc requests on same connection
From ray@isc.org  Fri Jan 19 07:36:40 2018
X-RT-Interface: Email
X-Original-To: bind9-public@bugs.isc.org
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 3537ED78B0D for <bind9-public@bugs.isc.org>; Fri, 19 Jan 2018 07:36:40 +0000 (UTC)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 35BE93ABB7A for <bind9-public@isc.org>; Fri, 19 Jan 2018 07:36:45 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1F98816008A for <bind9-public@isc.org>; Fri, 19 Jan 2018 07:36:45 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 05CD316008C for <bind9-public@isc.org>; Fri, 19 Jan 2018 07:36:45 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kKjer1Ts0JUp for <bind9-public@isc.org>; Fri, 19 Jan 2018 07:36:44 +0000 (UTC)
Received: from rays-mbp.local (unknown [46.227.151.81]) by zmx1.isc.org (Postfix) with ESMTPSA id 98EBC16008A for <bind9-public@isc.org>; Fri, 19 Jan 2018 07:36:44 +0000 (UTC)
MIME-Version: 1.0
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.pao1.isc.org
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD autolearn=disabled version=3.4.1
From: "Ray Bellis" <ray@isc.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
Content-Transfer-Encoding: quoted-printable
content-type: text/plain; charset="utf-8"
RT-Message-ID: <rt-4.4.1-77828-1516347401-1736.46966-0-0@isc.org>
Content-Length: 577

On 18/01/2018 23:06, Mark Andrews via RT wrote:
> We do not need to change the session nonce. A simple sequence number 
> will prevent replay insertion into the stream and we have that in
> “_ser” which rndc increases on every transaction.  The server is
> already looking for replays and rejects them.

AFAICS that's only happening in the code that's commented as being
necessary for UDP packet duplication, which is what raised this
discussion in the first place since we don't use UDP for RNDC.

If that code is *not* just for UDP, could the comments please be fixed?