auth: add setting workaround-11804

Workaround for https://github.com/PowerDNS/pdns/issues/11804. Defaults to no,
implying the previously hard-coded value of 100.

diff --git a/docs/settings.rst b/docs/settings.rst
index 899e1e47e3fafb55bc0a79ecf70de0e399168e76..ed39a436397ff8c127201689ac0cca1708719dc9 100644 (file)
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1982,6 +1982,20 @@ If the webserver should print arguments.
 
 If a PID file should be written.
 
+.. _setting-workaround-11804:
+
+``workaround-11804``
+-------------------
+
+-  Boolean
+-  Default: no
+
+Workaround for issue https://github.com/PowerDNS/pdns/issues/11804.
+
+Default of no implies the pre-4.8 behaviour of up to 100 RRs per AXFR chunk.
+
+If enabled, only a single RR will be put into each AXFR chunk, making some zones transferable when they were not.
+
 .. _setting-xfr-cycle-interval:
 
 ``xfr-cycle-interval``

diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc
index 5f46624b62a0607178817e4249f69ee7ab3adb34..5bf5e1ccf6222ee5623376d48b08aa1d948e26ac 100644 (file)
--- a/pdns/auth-main.cc
+++ b/pdns/auth-main.cc
@@ -196,6 +196,7 @@ static void declareArguments()
   ::arg().set("log-timestamp", "Print timestamps in log lines") = "yes";
   ::arg().set("distributor-threads", "Default number of Distributor (backend) threads to start") = "3";
   ::arg().set("signing-threads", "Default number of signer threads to start") = "3";
+  ::arg().setSwitch("workaround-11804", "Workaround for issue 11804: send single RR per AXFR chunk") = "no";
   ::arg().set("receiver-threads", "Default number of receiver threads to start") = "1";
   ::arg().set("queue-limit", "Maximum number of milliseconds to queue a query") = "1500";
   ::arg().set("resolver", "Use this resolver for ALIAS and the internal stub resolver") = "no";

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index cea44001b8fcb71c15d51686d8380be935450953..18b10c24bfe29618b23ff4d9f625fed6da2401a5 100644 (file)
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -1842,7 +1842,7 @@ static void testSpeed(const DNSName& zone, const string& /* remote */, int cores
     throw runtime_error("No backends available for DNSSEC key storage");
   }
 
-  ChunkedSigningPipe csp(DNSName(zone), true, cores);
+  ChunkedSigningPipe csp(DNSName(zone), true, cores, 100);
 
   vector<DNSZoneRecord> signatures;
   uint32_t rnd;

diff --git a/pdns/signingpipe.cc b/pdns/signingpipe.cc
index f740ae8bb7a8233fdc33215169bbebc076b54f96..2da3db7a24b64f05886d6334df7f0c2d70d46440 100644 (file)
--- a/pdns/signingpipe.cc
+++ b/pdns/signingpipe.cc
@@ -57,9 +57,9 @@ catch(...) {
   return nullptr;
 }
 
-ChunkedSigningPipe::ChunkedSigningPipe(DNSName  signerName, bool mustSign, unsigned int workers)
+ChunkedSigningPipe::ChunkedSigningPipe(DNSName  signerName, bool mustSign, unsigned int workers, unsigned int maxChunkRecords)
   : d_signed(0), d_queued(0), d_outstanding(0), d_numworkers(workers), d_submitted(0), d_signer(std::move(signerName)),
-    d_maxchunkrecords(100), d_threads(d_numworkers), d_mustSign(mustSign), d_final(false)
+    d_maxchunkrecords(maxChunkRecords), d_threads(d_numworkers), d_mustSign(mustSign), d_final(false)
 {
   d_rrsetToSign = make_unique<rrset_t>();
   d_chunks.push_back(vector<DNSZoneRecord>()); // load an empty chunk

diff --git a/pdns/signingpipe.hh b/pdns/signingpipe.hh
index 4c6443342fa8d025ca4f28ee442aed42918aff33..c72b541786412c4fcf45b5033cc948942ed2b696 100644 (file)
--- a/pdns/signingpipe.hh
+++ b/pdns/signingpipe.hh
@@ -42,7 +42,7 @@ public:
   
   ChunkedSigningPipe(const ChunkedSigningPipe&) = delete;
   void operator=(const ChunkedSigningPipe&) = delete;
-  ChunkedSigningPipe(DNSName  signerName, bool mustSign, unsigned int numWorkers=3);
+  ChunkedSigningPipe(DNSName  signerName, bool mustSign, unsigned int numWorkers, unsigned int maxChunkRecords);
   ~ChunkedSigningPipe();
   bool submit(const DNSZoneRecord& rr);
   chunk_t getChunk(bool final=false);

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 3341b11392613b77163d529226b94cd4ab8a186e..12db956bb758ce9ebc99948ff1cfb7d8d59235ec 100644 (file)
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -987,7 +987,7 @@ send:
   typedef map<DNSName, NSECXEntry, CanonDNSNameCompare> nsecxrepo_t;
   nsecxrepo_t nsecxrepo;
 
-  ChunkedSigningPipe csp(target, (securedZone && !presignedZone), ::arg().asNum("signing-threads", 1));
+  ChunkedSigningPipe csp(target, (securedZone && !presignedZone), ::arg().asNum("signing-threads", 1), ::arg().mustDo("workaround-11804") ? 1 : 100);
 
   DNSName keyname;
   unsigned int udiff;