max-ncache-ttl 10800; /* 3 hours */\n\
max-recursion-depth 7;\n\
max-recursion-queries 32;\n\
+ max-query-restarts 11;\n\
message-compression yes;\n\
# min-roots <obsolete>;\n\
minimal-any false;\n\
dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj));
obj = NULL;
- result = ns_config_get(maps, "fetches-per-zone", &obj);
+ result = ns_config_get(maps, "max-query-restarts", &obj);
INSIST(result == ISC_R_SUCCESS);
+ dns_view_setmaxrestarts(view, cfg_obj_asuint32(obj));
+
+ obj = NULL;
+ result = ns_config_get(maps, "fetches-per-zone", &obj);
obj2 = cfg_tuple_get(obj, "fetches");
dns_resolver_setfetchesperzone(view->resolver, cfg_obj_asuint32(obj2));
obj2 = cfg_tuple_get(obj, "response");
algorithm hmac-sha256;
};
+key restart16 {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
-zone "." {
- type hint;
- file "root.hint";
+view restart16 {
+ match-clients { key restart16; none; };
+ max-query-restarts 16;
+
+ zone "." {
+ type hint;
+ file "root.hint";
+ };
+};
+
+view default {
+ zone "." {
+ type hint;
+ file "root.hint";
+ };
};
echo_i "checking CNAME loops are detected ($n)"
ret=0
$RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
-$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n
-grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
-grep "ANSWER: 12" dig.out.test$n > /dev/null || ret=1
+$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.1.test$n
+grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1
+grep "ANSWER: 12" dig.out.1.test$n >/dev/null || ret=1
+# also check with max-query-restarts 16:
+$DIG $DIGOPTS @10.53.0.7 -y "hmac-sha256:restart16:1234abcd8765" loop.example >dig.out.2.test$n
+grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1
+grep "ANSWER: 17" dig.out.2.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
serial-query-rate 100;
server-id none;
max-cache-size 20000000000000;
+ max-query-restarts 10;
nta-lifetime 604800;
nta-recheck 604800;
transfer-source 0.0.0.0 dscp 63;
file "yyy";
};
dnssec-validation auto;
+ max-query-restarts 15;
zone-statistics terse;
};
view "second" {
</listitem>
</varlistentry>
+ <varlistentry xml:id="max-query-restarts">
+ <term><command>max-query-restarts</command></term>
+ <listitem>
+ <para>
+ This sets the maximum number of successive CNAME targets to
+ follow when resolving a client query, before
+ terminating the query to avoid a CNAME loop.
+ Valid values are 1 to 255. The default is 11.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>notify-delay</command></term>
<listitem>
max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
max-journal-size ( unlimited | <sizeval> );
max-ncache-ttl <integer>;
+ max-query-restarts <integer>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
max-journal-size ( unlimited | <sizeval> );
max-ncache-ttl <integer>;
+ max-query-restarts <integer>;
max-records <integer>;
max-recursion-depth <integer>;
max-recursion-queries <integer>;
}
}
+ obj = NULL;
+ (void)cfg_map_get(options, "max-query-restarts", &obj);
+ if (obj != NULL) {
+ uint32_t restarts = cfg_obj_asuint32(obj);
+ if (restarts == 0 || restarts > 255) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "'max-query-restarts' is out of "
+ "range 1..255)");
+ if (result == ISC_R_SUCCESS) {
+ result = ISC_R_RANGE;
+ }
+ }
+ }
+
return (result);
}
{ "max-ncache-ttl", &cfg_type_uint32, 0 },
{ "max-recursion-depth", &cfg_type_uint32, 0 },
{ "max-recursion-queries", &cfg_type_uint32, 0 },
+ { "max-query-restarts", &cfg_type_uint32, 0 },
{ "max-udp-size", &cfg_type_uint32, 0 },
{ "message-compression", &cfg_type_boolean, 0 },
{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
projects / thirdparty / bind9.git / commitdiff
