implement 'max-query-restarts'

implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.

(cherry picked from commit 104f3b82fb7c7cd03edc36507b167cfc6e11d17c)
(cherry picked from commit 2e04f0380c5af65661ee906ffc0730e6ea8040aa)

diff --git a/bin/named/config.c b/bin/named/config.c
index ff3f272d266322708b64674e7301962062201a95..52c8155c341d4ea6fb7b4434e8cc56c0870a06d3 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -168,6 +168,7 @@ options {\n\
        max-ncache-ttl 10800; /* 3 hours */\n\
        max-recursion-depth 7;\n\
        max-recursion-queries 32;\n\
+       max-query-restarts 11;\n\
        max-stale-ttl 86400; /* 1 day */\n\
        message-compression yes;\n\
        min-ncache-ttl 0; /* 0 hours */\n\

diff --git a/bin/named/server.c b/bin/named/server.c
index 1926dc651a125c99fc93e8b0f1b36897885ad147..444bb9be059e05f379df99775f0b2a15817b4712 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -5480,6 +5480,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
        INSIST(result == ISC_R_SUCCESS);
        dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj));
 
+       obj = NULL;
+       result = named_config_get(maps, "max-query-restarts", &obj);
+       INSIST(result == ISC_R_SUCCESS);
+       dns_view_setmaxrestarts(view, cfg_obj_asuint32(obj));
+
        obj = NULL;
        result = named_config_get(maps, "fetches-per-zone", &obj);
        INSIST(result == ISC_R_SUCCESS);

diff --git a/bin/tests/system/chain/ns7/named.conf.in b/bin/tests/system/chain/ns7/named.conf.in
index 31ca3ef53224ba2886c60089ccce8b5de7af3d8b..a531fe29b7ef2122ad515a262692d140b1b5941c 100644 (file)
--- a/bin/tests/system/chain/ns7/named.conf.in
+++ b/bin/tests/system/chain/ns7/named.conf.in
@@ -35,11 +35,28 @@ key rndc_key {
        algorithm hmac-sha256;
 };
 
+key restart16 {
+       secret "1234abcd8765";
+       algorithm @DEFAULT_HMAC@;
+};
+
 controls {
        inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
-zone "." {
-       type hint;
-       file "root.hint";
+view restart16 {
+       match-clients { key restart16; none; };
+       max-query-restarts 16;
+
+       zone "." {
+               type hint;
+               file "root.hint";
+       };
+};
+
+view default {
+       zone "." {
+               type hint;
+               file "root.hint";
+       };
 };

diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 0ecdb68e95af6b04c54f951c1c926f5772984a2b..9671641fbb4a12f8c29d0be669e701a922842cb3 100644 (file)
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -79,6 +79,7 @@ options {
        check-names primary warn;
        check-names secondary ignore;
        max-cache-size 20000000000000;
+       max-query-restarts 10;
        nta-lifetime 604800;
        nta-recheck 604800;
        validate-except {
@@ -111,6 +112,7 @@ view "first" {
                max-ixfr-ratio unlimited;
        };
        dnssec-validation auto;
+       max-query-restarts 15;
        zone-statistics terse;
 };
 view "second" {

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 9127dc0d9a284d4c49f2429ab700fae9994c7a62..991ee467d33f421e1f95b47f7fe68ab5f1402bc3 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3700,6 +3700,11 @@ Tuning
    is a CNAME, then the subsequent lookup for the target of the CNAME is
    counted separately.) The default is 32.
 
+``max-query-restarts``
+   This sets the maximum number of successive CNAME targets to follow
+   when resolving a client query, before terminating the query to avoid a
+   CNAME loop. Valid values are 1 to 255. The default is 11.
+
 ``notify-delay``
    This sets the delay, in seconds, between sending sets of NOTIFY messages
    for a zone. Whenever a NOTIFY message is sent for a zone, a timer will

diff --git a/doc/misc/options b/doc/misc/options
index 7a3b77171f7f6337f5a0472954d3a75aca314a64..87e438005b445187f7de98c981359483cc9b09a4 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -242,6 +242,7 @@ options {
         max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
+        max-query-restarts <integer>;
         max-records <integer>;
         max-records-per-type <integer>;
         max-recursion-depth <integer>;
@@ -624,6 +625,7 @@ view <string> [ <class> ] {
         max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
+        max-query-restarts <integer>;
         max-records <integer>;
         max-records-per-type <integer>;
         max-recursion-depth <integer>;

diff --git a/doc/misc/options.active b/doc/misc/options.active
index 8fa18a75d89820e98fc0f594dc8f5d757796cf2c..6f384216e30142b0d13c8ac01a138057aa65bd1e 100644 (file)
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -216,6 +216,7 @@ options {
         max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
+        max-query-restarts <integer>;
         max-records <integer>;
         max-records-per-type <integer>;
         max-recursion-depth <integer>;
@@ -561,6 +562,7 @@ view <string> [ <class> ] {
         max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
+        max-query-restarts <integer>;
         max-records <integer>;
         max-records-per-type <integer>;
         max-recursion-depth <integer>;

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index ee64543ab8b29230f461674e159ade2c7a19188b..db87964ce0579f30b0941639d28087aa8dbe55cd 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1781,6 +1781,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
                }
        }
 
+       obj = NULL;
+       (void)cfg_map_get(options, "max-query-restarts", &obj);
+       if (obj != NULL) {
+               uint32_t restarts = cfg_obj_asuint32(obj);
+               if (restarts == 0 || restarts > 255) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "'max-query-restarts' is out of "
+                                   "range 1..255)");
+                       if (result == ISC_R_SUCCESS) {
+                               result = ISC_R_RANGE;
+                       }
+               }
+       }
+
        return (result);
 }
 

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 69525dcc902146902c733e8eebe48cb6f018839b..232a309418bc444568dd66175b864abbb63797b5 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2059,6 +2059,7 @@ static cfg_clausedef_t view_clauses[] = {
        { "max-ncache-ttl", &cfg_type_duration, 0 },
        { "max-recursion-depth", &cfg_type_uint32, 0 },
        { "max-recursion-queries", &cfg_type_uint32, 0 },
+       { "max-query-restarts", &cfg_type_uint32, 0 },
        { "max-stale-ttl", &cfg_type_duration, 0 },
        { "max-udp-size", &cfg_type_uint32, 0 },
        { "message-compression", &cfg_type_boolean, 0 },