From: Kees Monshouwer <mind04@monshouwer.org>
Date: Tue, 29 Jul 2014 11:25:57 +0000 (+0200)
Subject: add option to limit the maximum number of cached signatures
X-Git-Tag: auth-3.4.0-rc1~14^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bba84134688e5d1b51ff5dc2bac4016fe737cb7c;p=thirdparty%2Fpdns.git

add option to limit the maximum number of cached signatures
---

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index cff84a2fb5..e310757540 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -148,6 +148,7 @@ void declareArguments()
   ::arg().set("setgid","If set, change group id to this gid for more security")="";
 
   ::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000";
+  ::arg().set("max-signature-cache-entries", "Maximum number of signatures cache entries")="";
   ::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
   ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
 
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 55b8fd8138..19a459fa05 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -26,6 +26,7 @@
 #include "dnsseckeeper.hh"
 #include "dns_random.hh"
 #include "lock.hh"
+#include "arguments.hh"
 
 /* this is where the RRSIGs begin, keys are retrieved,
    but the actual signing happens in fillOutRRSIG */
@@ -148,8 +149,10 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
     WriteLock l(&g_signatures_lock);
     /* we add some jitter here so not all your slaves start pruning their caches at the very same millisecond */
     int weekno = (time(0) - dns_random(3600)) / (86400*7);  // we just spent milliseconds doing a signature, microsecond more won't kill us
+    const static int maxcachesize=::arg().asNum("max-signature-cache-entries", INT_MAX);
   
-    if(g_cacheweekno < weekno) {  // blunt but effective (C) Habbie
+    if(g_cacheweekno < weekno || g_signatures.size() >= (uint) maxcachesize) {  // blunt but effective (C) Habbie, mind04
+      L<<Logger::Warning<<"Cleared signature cache."<<endl;
       g_signatures.clear();
       g_cacheweekno = weekno;
     }
diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 5541c442ba..4293458738 100644
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -12830,6 +12830,14 @@ UPDATE records SET auth=1 WHERE auth IS NULL;
             </para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term>max-signature-cache-entries</term>
+          <listitem>
+            <para>
+              Maximum number of signatures cache entries
+            </para>
+          </listitem>
+        </varlistentry>
         <varlistentry>
           <term>local-address-nonexist-fail</term>
           <listitem>
diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index fc767ac65c..5795a1d938 100644
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -274,6 +274,11 @@
 #
 # max-queue-length=5000
 
+#################################
+# max-signature-cache-entries	Maximum number of signatures cache entries
+#
+# max-signature-cache-entries=
+
 #################################
 # max-tcp-connections	Maximum number of TCP connections
 #
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 06687b7946..17b3f934f6 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -138,6 +138,7 @@ void loadMainConfig(const std::string& configdir)
 
   ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
   ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
+  ::arg().set("max-signature-cache-entries", "Maximum number of signatures cache entries")="";
   ::arg().laxFile(configname.c_str());
 
   BackendMakers().launch(::arg()["launch"]); // vrooooom!