void AggressiveNSECCache::insertNSEC(const DNSName& zone, const DNSName& owner, const DNSRecord& record, const std::vector<std::shared_ptr<RRSIGRecordContent>>& signatures, bool nsec3)
{
+ if (nsec3 && nsec3Disabled()) {
+ return;
+ }
if (signatures.empty()) {
return;
}
{
}
+ static bool nsec3Disabled()
+ {
+ return s_maxNSEC3CommonPrefix == 0;
+ }
+
void insertNSEC(const DNSName& zone, const DNSName& owner, const DNSRecord& record, const std::vector<std::shared_ptr<RRSIGRecordContent>>& signatures, bool nsec3);
bool getDenial(time_t, const DNSName& name, const QType& type, std::vector<DNSRecord>& ret, int& res, const ComboAddress& who, const boost::optional<std::string>& routingTag, bool doDNSSEC, const OptLog& log = std::nullopt);
The number of records to cache in the aggressive cache. If set to a value greater than 0, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in :rfc:`8198`.
To use this, DNSSEC processing or validation must be enabled by setting `dnssec`_ to ``process``, ``log-fail`` or ``validate``.
+.. _setting-aggressive-cache-max-nsec3-zone-size:
+
+``aggressive-cache-max-nsec3-zone-size``
+----------------------------------------
+
+.. versionadded: 4.9.0
+
+- Integer
+- Default: 1000
+
+The maximum (estimated) zone size (number of names) for which to put NSEC3 entries into the aggressive NSEC cache.
+For large zones the effectiveness of the NSEC3 cache is reduced since the names are replaced by hashes, which are random by nature.
+This setting avoids doing unneccesary work for such large zones.
+A value of 0 means no NSEC3 records will be put into the aggressive cache.
+
.. _setting-allow-from:
``allow-from``
}
}
+ AggressiveNSECCache::s_maxNSEC3CommonPrefix = static_cast<uint8_t>(std::round(std::log2(::arg().asNum("aggressive-cache-max-nsec3-zone-size"))));
+ SLOG(g_log << Logger::Debug << "NSEC3 aggressive cache tuning: aggressive-cache-max-nsec3-zone-size: " << ::arg().asNum("aggressive-cache-max-nsec3-zone-size") << " max common prefix bits: " << std::to_string(AggressiveNSECCache::s_maxNSEC3CommonPrefix) << endl,
+ log->info(Logr::Debug, "NSEC3 aggressive cache tuning", "aggressive-cache-max-nsec3-zone-size", Logging::Loggable(::arg().asNum("aggressive-cache-max-nsec3-zone-size")), "maxCommonPrefixBits", Logging::Loggable(AggressiveNSECCache::s_maxNSEC3CommonPrefix)));
+
{
SuffixMatchNode dontThrottleNames;
vector<string> parts;
::arg().setSwitch("extended-resolution-errors", "If set, send an EDNS Extended Error extension on resolution failures, like DNSSEC validation errors") = "no";
::arg().set("aggressive-nsec-cache-size", "The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC processing or validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198") = "100000";
+ ::arg().set("aggressive-cache-max-nsec3-zone-size", "The maximum estimated size of a zone to store NSEC3 records into the aggressive cache") = "2000";
::arg().set("edns-padding-from", "List of netmasks (proxy IP in case of proxy-protocol presence, client IP otherwise) for which EDNS padding will be enabled in responses, provided that 'edns-padding-mode' applies") = "";
::arg().set("edns-padding-mode", "Whether to add EDNS padding to all responses ('always') or only to responses for queries containing the EDNS padding option ('padded-queries-only', the default). In both modes, padding will only be added to responses for queries coming from `edns-padding-from`_ sources") = "padded-queries-only";
projects / thirdparty / pdns.git / commitdiff
