From: Otto Date: Wed, 10 Feb 2021 09:57:36 +0000 (+0100) Subject: Introduce settings to never cache EDNS Client (v4/v6) Subnet carrying replies. X-Git-Tag: dnsdist-1.6.0-alpha2~40^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=66535fce190fc9f743c2c15270c464b958813b1c;p=thirdparty%2Fpdns.git Introduce settings to never cache EDNS Client (v4/v6) Subnet carrying replies. While there, add a few entries to the upgrade guide. --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 1f5ee52e3e..22c0ac7688 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -4612,6 +4612,8 @@ static int serviceMain(int argc, char*argv[]) SyncRes::clearECSStats(); SyncRes::s_ecsipv4cachelimit = ::arg().asNum("ecs-ipv4-cache-bits"); SyncRes::s_ecsipv6cachelimit = ::arg().asNum("ecs-ipv6-cache-bits"); + SyncRes::s_ecsipv4nevercache = ::arg().mustDo("ecs-ipv4-never-cache"); + SyncRes::s_ecsipv6nevercache = ::arg().mustDo("ecs-ipv6-never-cache"); SyncRes::s_ecscachelimitttl = ::arg().asNum("ecs-cache-limit-ttl"); SyncRes::s_qnameminimization = ::arg().mustDo("qname-minimization"); diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 022f60ee31..64fa3f2628 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -483,7 +483,7 @@ Number of bits of client IPv4 address to pass when sending EDNS Client Subnet ad - Default: 24 Maximum number of bits of client IPv4 address used by the authoritative server (as indicated by the EDNS Client Subnet scope in the answer) for an answer to be inserted into the query cache. This condition applies in conjunction with ``ecs-cache-limit-ttl``. -That is, only if both the limits apply, the record will not be cached. +That is, only if both the limits apply, the record will not be cached. This decision can be overridden by ``ecs-ipv4-never-cache`` and ``ecs-ipv6-never-cache``. .. _setting-ecs-ipv6-bits: @@ -506,7 +506,31 @@ Number of bits of client IPv6 address to pass when sending EDNS Client Subnet ad - Default: 56 Maximum number of bits of client IPv6 address used by the authoritative server (as indicated by the EDNS Client Subnet scope in the answer) for an answer to be inserted into the query cache. This condition applies in conjunction with ``ecs-cache-limit-ttl``. -That is, only if both the limits apply, the record will not be cached. +That is, only if both the limits apply, the record will not be cached. This decision can be overridden by ``ecs-ipv4-never-cache`` and ``ecs-ipv6-never-cache``. + +.. _setting-ecs-ipv4-never-cache: + +``ecs-ipv4-never-cache`` +------------------------ +.. versionadded:: 4.5.0 + +- Boolean +- Default: no + +When set, never cache replies carrying EDNS IPv4 Client Subnet scope in the record cache. +In this case the decision made by ```ecs-ipv4-cache-bits`` and ``ecs-cache-limit-ttl`` is no longer relevant. + +.. _setting-ecs-ipv6-never-cache: + +``ecs-ipv6-never-cache`` +------------------------ +.. versionadded:: 4.5.0 + +- Boolean +- Default: no + +When set, never cache replies carrying EDNS IPv6 Client Subnet scope in the record cache. +In this case the decision made by ```ecs-ipv6-cache-bits`` and ``ecs-cache-limit-ttl`` is no longer relevant. .. _setting-ecs-minimum-ttl-override: @@ -534,7 +558,7 @@ Can be set at runtime using ``rec_control set-ecs-minimum-ttl 3600``. - Default: 0 (disabled) The minimum TTL for an ECS-specific answer to be inserted into the query cache. This condition applies in conjunction with ``ecs-ipv4-cache-bits`` or ``ecs-ipv6-cache-bits``. -That is, only if both the limits apply, the record will not be cached. +That is, only if both the limits apply, the record will not be cached. This decision can be overridden by ``ecs-ipv4-never-cache`` and ``ecs-ipv6-never-cache``. .. _setting-ecs-scope-zero-address: diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index b60b479fd4..f73884afbf 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -20,17 +20,27 @@ Synonyms for various settings names containing ``master``, ``slave``, - For :ref:`setting-new-domain-whitelist` use :ref:`setting-new-domain-ignore-list`. - For :ref:`setting-snmp-master-socket` use :ref:`setting-snmp-daemon-socket`. - For the LUA config function :func:`rpzMaster` use :func:`rpzPrimary`. - + Currently, the older setting names are also accepted and used. The next release will start deprecating them. Users are advised to start using the new names to avoid future trouble. +New Settings +^^^^^^^^^^^^ +- The :ref:`setting-extended-resolution-errors` has been added, enabling adding EDNS Extended Errors to responses. +- The :ref:`setting-refresh-on-ttl-perc`, enabling an automatic cache-refresh mechanism, +- The :ref:`setting-ecs-ipv4-never-cache` and :ref:`setting-ecs-ipv6-never-cache` settings have been added, allowing an overrule of the existing decision whether to to cache EDNS responses carrying subnet information. + Deprecated and changed settings ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - The :ref:`setting-minimum-ttl-override` and :ref:`setting-ecs-minimum-ttl-override` defaults have ben changed from 0 to 1. - The :ref:`setting-spoof-nearmiss-max` default has been changed from 20 to 1. +Removed settings +^^^^^^^^^^^^^^^^ +- The :ref:`setting-query-local-address6` has been removed. It already was deprecated. + 4.3.x to 4.4.0 -------------- diff --git a/pdns/syncres.cc b/pdns/syncres.cc index e590d4fe42..b9b12c218e 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -84,6 +84,8 @@ uint8_t SyncRes::s_ecsipv4limit; uint8_t SyncRes::s_ecsipv6limit; uint8_t SyncRes::s_ecsipv4cachelimit; uint8_t SyncRes::s_ecsipv6cachelimit; +bool SyncRes::s_ecsipv4nevercache; +bool SyncRes::s_ecsipv6nevercache; bool SyncRes::s_doIPv4; bool SyncRes::s_doIPv6; @@ -3257,10 +3259,14 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr bool doCache = true; if (i->first.place == DNSResourceRecord::ANSWER && ednsmask) { + const bool isv4 = ednsmask->isIPv4(); + if ((isv4 && s_ecsipv4nevercache) || (!isv4 && s_ecsipv6nevercache)) { + doCache = false; + } // If ednsmask is relevant, we do not want to cache if the scope prefix length is large and TTL is small - if (SyncRes::s_ecscachelimitttl > 0) { - bool manyMaskBits = (ednsmask->isIPv4() && ednsmask->getBits() > SyncRes::s_ecsipv4cachelimit) || - (ednsmask->isIPv6() && ednsmask->getBits() > SyncRes::s_ecsipv6cachelimit); + if (doCache && s_ecscachelimitttl > 0) { + bool manyMaskBits = (isv4 && ednsmask->getBits() > s_ecsipv4cachelimit) || + (!isv4 && ednsmask->getBits() > s_ecsipv6cachelimit); if (manyMaskBits) { uint32_t minttl = UINT32_MAX; @@ -3268,7 +3274,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr if (it.d_ttl < minttl) minttl = it.d_ttl; } - bool ttlIsSmall = minttl < SyncRes::s_ecscachelimitttl + d_now.tv_sec; + bool ttlIsSmall = minttl < s_ecscachelimitttl + d_now.tv_sec; if (ttlIsSmall) { // Case: many bits and ttlIsSmall doCache = false; diff --git a/pdns/syncres.hh b/pdns/syncres.hh index a8705b32c3..abf4eaf8bf 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -759,6 +759,9 @@ public: static uint8_t s_ecsipv6limit; static uint8_t s_ecsipv4cachelimit; static uint8_t s_ecsipv6cachelimit; + static bool s_ecsipv4nevercache; + static bool s_ecsipv6nevercache; + static bool s_doIPv4; static bool s_doIPv6; static bool s_noEDNSPing;