Entries without a netmask will be interpreted as a single address.
By default, the ACL is set is ``127.0.0.0/8`` and ``::1/128``.
+:axfr-max-records:
+ Maximum number of records allowed in an AXFR transaction requested by :program:`ixfrdist`.
+ This may prevent untrusted sources from using all the process memory.
+ By default, this setting is ``0``, which means "unlimited".
+
:axfr-timeout:
Timeout in seconds an AXFR transaction requested by :program:`ixfrdist` may take.
Increase this when the network to the authoritative servers is slow or the domains are very large and you experience timeouts.
}
}
-void updateThread(const string& workdir, const uint16_t& keep, const uint16_t& axfrTimeout) {
+void updateThread(const string& workdir, const uint16_t& keep, const uint16_t& axfrTimeout, const uint32_t axfrMaxRecords) {
std::map<DNSName, time_t> lastCheck;
// Initialize the serials we have
shared_ptr<SOARecordContent> soa;
try {
AXFRRetriever axfr(master, domain, tt, &local);
- unsigned int nrecords=0;
+ uint32_t nrecords=0;
Resolver::res_t nop;
vector<DNSRecord> chunk;
records_t records;
soa = getRR<SOARecordContent>(dr);
}
}
+ if (axfrMaxRecords != 0 && nrecords > axfrMaxRecords) {
+ throw PDNSException("Received more than " + std::to_string(axfrMaxRecords) + " records in AXFR, aborted");
+ }
axfr_now = time(nullptr);
if (axfr_now - t_start > axfrTimeout) {
throw PDNSException("Total AXFR time exceeded!");
config["keep"] = 20;
}
+ if (config["axfr-max-records"]) {
+ try {
+ config["axfr-max-records"].as<uint32_t>();
+ } catch (const runtime_error &e) {
+ g_log<<Logger::Error<<"Unable to read 'axfr-max-records' value: "<<e.what()<<endl;
+ }
+ } else {
+ config["axfr-max-records"] = 0;
+ }
+
if (config["axfr-timeout"]) {
try {
config["axfr-timeout"].as<uint16_t>();
std::thread ut(updateThread,
config["work-dir"].as<string>(),
config["keep"].as<uint16_t>(),
- config["axfr-timeout"].as<uint16_t>());
+ config["axfr-timeout"].as<uint16_t>(),
+ config["axfr-max-records"].as<uint32_t>());
vector<std::thread> tcpHandlers;
tcpHandlers.reserve(config["tcp-in-threads"].as<uint16_t>());
- '127.0.0.0/8'
- '::1'
+# Maximum number of records allowed in a single zone. ixfrdist will abort the
+# zone transfer from the master when more than this number of records have been
+# received. A value of 0 (the default) means unlimited
+#
+axfr-max-records: 0
+
# Timeout in seconds an AXFR transaction requested by ixfrdist may take.
# Increase this when the network to the authoritative servers is slow or the
# domains are very large and you experience timeouts. Set to 20 by default or
projects / thirdparty / pdns.git / commitdiff
