From: Otto Moerbeek Date: Tue, 30 May 2023 07:57:13 +0000 (+0200) Subject: rec: Introduce a way to completely disable root-refresh X-Git-Tag: rec-4.9.0-beta1~1^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0908f75786285456ccd7e64c5966514b72da29dd;p=thirdparty%2Fpdns.git rec: Introduce a way to completely disable root-refresh --- diff --git a/pdns/recursordist/docs/appendices/FAQ.rst b/pdns/recursordist/docs/appendices/FAQ.rst index d063998332..7d6110db5e 100644 --- a/pdns/recursordist/docs/appendices/FAQ.rst +++ b/pdns/recursordist/docs/appendices/FAQ.rst @@ -66,19 +66,23 @@ Handling of root hints On startup, the :program:`Recursor` uses root hints to resolve the names and addresses of the root name servers and puts the record sets found into the record cache. This is needed to be able to resolve names, as the recursive algorithm starts at the root (using cached data) and then tries to resolve delegations until it finds the name servers that are authoritative for the domain in question. -If the :ref:`setting-hint-file` is not set, it wil use a compiled-in table as root hints. -Starting with version 4.6.2, if :ref:`setting-hint-file` is set to ``no``, the :program:`Recursor` will not fill the cache with root data. -This can be used in special cases, e.g. when all queries are forwarded. +If the :ref:`setting-hint-file` is not set, :program:`Recursor` wil use a compiled-in table as root hints. -Note that the root hints and resolved root data can differ if the root hints are outdated. -As long as at least one root server mentioned in the root hints can be contacted, this mechanism will produce the desired record sets corresponding to the actual root server data. - -Periodically, based on the :ref:`setting-max-cache-ttl`, the :program:`Recursor` will refetch the root data using data in its cache. +Periodically, based on the :ref:`setting-max-cache-ttl`, the :program:`Recursor` will refetch the root data using data in its cache by doing a `. NS` query. If that does not succeed, it wil fall back to using the root hints to fill the cache with root data. Prior to version 4.7.0, the period for re-fetching root data was :ref:`setting-max-cache-ttl` divided by 12, with a minimum of 10 seconds. Starting with version 4.7.0, the period is adaptive, starting at 80% of :ref:`setting-max-cache-ttl`, reducing the interval on failure. -There is another detail: after refreshing the root records, the :program:`Recursor` will resolve the ``NS`` records for the top level domain of the root servers. +The root hints and resolved root data can differ if the root hints are outdated. +As long as at least one root server mentioned in the root hints can be contacted, the periodic refresh will produce the desired record sets corresponding to the current up-to-date root server data. + +Starting with version 4.6.2, if :ref:`setting-hint-file` is set to ``no``, the :program:`Recursor` will not prime the cache with root data obtained from hints, but will still do the periodic refresh. +A (recursive) forward configuration is be needed to make the periodic refresh work. + +Starting with version 4.9, setting :ref:`setting-hint-file` to ``no-refresh`` disables both the initial reading of the hints and the periodic refresh of cached root data. +This prevents :program:`Recursor` from resolving names by itself, so it is only useful in cases where all queries are forwarded. + +With versions older than 4.8, there is another detail: after refreshing the root records, the :program:`Recursor` will resolve the ``NS`` records for the top level domain of the root servers. For example, in the default setup the root name servers are called ``[a-m].root-servers.net``, so the :program:`Recursor` will resolve the name servers of the ``.net`` domain. -This is needed to correctly determine zone cuts to be able to decide if the ``.root-servers.net`` domain is DNSSEC protected. +This is needed to correctly determine zone cuts to be able to decide if the ``.root-servers.net`` domain is DNSSEC protected. Newer versions solve this by querying the needed information top-down. diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 427b39904f..106f5432bd 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -926,10 +926,14 @@ If set, EDNS options in incoming queries are extracted and passed to the :func:` Introduced the value ``no`` to disable root-hints processing. +.. versionchanged:: 4.9.0 + + Introduced the value ``no-refresh`` to disable both root-hints processing and periodic refresh of the cached root `NS` records. + If set, the root-hints are read from this file. If empty, the default built-in root hints are used. In some special cases, processing the root hints is not needed, for example when forwarding all queries to another recursor. -For these special cases, it is possible to disable the processing of root hints by setting the value to ``no``. +For these special cases, it is possible to disable the processing of root hints by setting the value to ``no`` or ``no-refresh``. See :ref:`handling-of-root-hints` for more information on root hints handling. .. _setting-ignore-unknown-settings: diff --git a/pdns/recursordist/reczones.cc b/pdns/recursordist/reczones.cc index ba658b19c2..389dcaee1c 100644 --- a/pdns/recursordist/reczones.cc +++ b/pdns/recursordist/reczones.cc @@ -40,10 +40,10 @@ bool primeHints(time_t now) vector nsvec; bool ret = true; - if (hintfile == "no") { + if (hintfile == "no" || hintfile == "no-refresh") { auto log = g_slog->withName("config"); - SLOG(g_log << Logger::Debug << "Priming root disabled by hint-file=no" << endl, - log->info(Logr::Debug, "Priming root disabled by hint-file=no")); + SLOG(g_log << Logger::Debug << "Priming root disabled by hint-file setting" << endl, + log->info(Logr::Debug, "Priming root disabled by hint-file setting")); return ret; } diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index 6119a325e9..0e534a3fe0 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -5863,6 +5863,9 @@ int directResolve(const DNSName& qname, const QType qtype, const QClass qclass, int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback, unsigned int depth, Logr::log_t log) { + if (::arg()["hint-file"] == "no-refresh") { + return 0; + } SyncRes sr(now); sr.d_prefix = "[getRootNS]"; sr.setDoEDNS0(true);