Adjust default value of "max-recursion-queries"

Since the queries sent towards root and TLD servers are now included in
the count (as a result of the fix for CVE-2020-8616),
"max-recursion-queries" has a higher chance of being exceeded by
non-attack queries.  Increase its default value from 75 to 100.

diff --git a/CHANGES b/CHANGES
index 9d93b66fdd96ccef5ddaeb1586f8ed18cb6591c2..1b8f9648171b77a9b0851d3643eaabf897e8d824 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5541.  [func]          Adjust the "max-recursion-queries" default from 75 to
+                       100. [GL #2305]
+
 5540.  [port]          Fix building with native PKCS#11 support for AEP Keyper.
                        [GL #2315]
 

diff --git a/bin/named/config.c b/bin/named/config.c
index 9b0c6f06e2f99621950099a4803d6dee9ebc4bbe..437d92ab5b6b3491be91fe8293257ac567335e30 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -170,7 +170,7 @@ options {\n\
        max-clients-per-query 100;\n\
        max-ncache-ttl 10800; /* 3 hours */\n\
        max-recursion-depth 7;\n\
-       max-recursion-queries 75;\n\
+       max-recursion-queries 100;\n\
        max-stale-ttl 43200; /* 12 hours */\n\
        message-compression yes;\n\
        min-ncache-ttl 0; /* 0 hours */\n\

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index bcbbe3d05debc7c77ca3fceab232acb01c40c138..fd40de3837562378863501d1b3d629b35e700eb7 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3514,7 +3514,7 @@ Tuning
 ``max-recursion-queries``
    This sets the maximum number of iterative queries that may be sent while
    servicing a recursive query. If more queries are sent, the recursive
-   query is terminated and returns SERVFAIL. The default is 75.
+   query is terminated and returns SERVFAIL. The default is 100.
 
 ``notify-delay``
    This sets the delay, in seconds, between sending sets of NOTIFY messages for a

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index c58df5cafba3f4ed447276fb2a5de97495277b3b..23dae45db38c4d3e9b259855a3f694d1570d35d4 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -41,6 +41,12 @@ Feature Changes
   configuration. A new option 'nsec3param' can be used to set the desired
   NSEC3 parameters, and will detect collisions when resalting. [GL #1620].
 
+- Adjust the ``max-recursion-queries`` default from 75 to 100. Since the
+  queries sent towards root and TLD servers are now included in the
+  count (as a result of the fix for CVE-2020-8616), ``max-recursion-queries``
+  has a higher chance of being exceeded by non-attack queries, which is the
+  main reason for increasing its default value. [GL #2305]
+
 Bug Fixes
 ~~~~~~~~~
 

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index fcfbae17c67196e5e732b119b20bd498e5cab655..447d85062b118efeebbc364f2df0ea9b5f38efd1 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -181,7 +181,7 @@
 
 /* The default maximum number of iterative queries to allow before giving up. */
 #ifndef DEFAULT_MAX_QUERIES
-#define DEFAULT_MAX_QUERIES 75
+#define DEFAULT_MAX_QUERIES 100
 #endif /* ifndef DEFAULT_MAX_QUERIES */
 
 /*