git.ipfire.org Git - thirdparty/pdns.git/commit

author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Tue, 13 Sep 2022 09:27:24 +0000 (11:27 +0200)
committer	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Wed, 14 Sep 2022 09:24:31 +0000 (11:24 +0200)
commit	55badaf8f21b7d194f38b92928a3bdba7e52804b
tree	5f5259b0b5df55e8513a1846963e4a0003a644c7	tree
parent	3fd765009a2c3d5647682220bf31ab5103c6089e	commit \| diff

Feature to lock record sets in the records cache.

The idea is that this provides an extra layer of protection against spoofing.
To quote from the docs

This adds an extra layer of protection---as it limits the window of time cache updates are accepted---at the cost of a less efficient record cache.

The default value of 0 means no extra locking occurs.
When non-zero, record sets received (e.g. in the Additional Section) will not replace existing record sets in the record cache until the given percentage of the original TTL has expired.
A value of 100 means only expired record sets will be replaced.

There are a few cases where records will be replaced anyway:

- Record sets that are expired will always be replaced.
- If the new record set passed DNSSEC validation it will replace an existing entry.
- Record sets produced by refresh-on-ttl-perc tasks will also replace existing record sets.

pdns/recursor_cache.cc		diff \| blob \| blame \| history
pdns/recursor_cache.hh		diff \| blob \| blame \| history
pdns/recursordist/docs/settings.rst		diff \| blob \| blame \| history
pdns/recursordist/rec-main.cc		diff \| blob \| blame \| history
pdns/recursordist/test-syncres_cc.cc		diff \| blob \| blame \| history
pdns/reczones.cc		diff \| blob \| blame \| history
pdns/syncres.cc		diff \| blob \| blame \| history
pdns/syncres.hh		diff \| blob \| blame \| history