max iterations for neg cache.

git-svn-id: file:///svn/unbound/trunk@1291 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index b0321ab60d1b6e5a3070eea327c0832b42a63704..3f5533b32ee3dda2c434e5a45f4e4cd6a4179bce 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+9 October 2008: Wouter
+       - negative cache caps max iterations of NSEC3 done.
+
 8 October 2008: Wouter
        - NSEC negative cache for DS.
 

diff --git a/validator/val_neg.c b/validator/val_neg.c
index 49f96c2d2030f8a0e79db108d35cdcc91ab1bc7c..b1d60950cff28b1c6c250084342ab755fcd23444 100644 (file)
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -75,7 +75,7 @@ int val_neg_zone_compare(const void* a, const void* b)
        return dname_canon_lab_cmp(x->name, x->labs, y->name, y->labs, &m);
 }
 
-struct val_neg_cache* val_neg_create(struct config_file* cfg)
+struct val_neg_cache* val_neg_create(struct config_file* cfg, size_t maxiter)
 {
        struct val_neg_cache* neg = (struct val_neg_cache*)calloc(1, 
                sizeof(*neg));
@@ -83,6 +83,7 @@ struct val_neg_cache* val_neg_create(struct config_file* cfg)
                log_err("Could not create neg cache: out of memory");
                return NULL;
        }
+       neg->nsec3_max_iter = maxiter;
        neg->max = 1024*1024; /* 1 M is thousands of entries */
        if(cfg) neg->max = cfg->neg_cache_size;
        rbtree_init(&neg->tree, &val_neg_zone_compare);
@@ -832,6 +833,7 @@ static void neg_insert_data(struct val_neg_cache* neg,
                uint8_t* s;
                size_t slen, it;
                if(nsec3_get_params(nsec, 0, &h, &it, &s, &slen) &&
+                       it <= neg->nsec3_max_iter &&
                        (h != zone->nsec3_hash || it != zone->nsec3_iter ||
                        slen != zone->nsec3_saltlen || 
                        memcmp(zone->nsec3_salt, s, slen) != 0)) {

diff --git a/validator/val_neg.h b/validator/val_neg.h
index e1c949c0f7ea00e945bb4e35b8f6ce43979cd23e..93c098a6643737beb20c666245a9d7b8f383375f 100644 (file)
--- a/validator/val_neg.h
+++ b/validator/val_neg.h
@@ -76,6 +76,8 @@ struct val_neg_cache {
        size_t use;
        /** max memory to use (bytes) */
        size_t max;
+       /** max nsec3 iterations allowed */
+       size_t nsec3_max_iter;
 };
 
 /**
@@ -162,9 +164,10 @@ struct val_neg_data {
 /**
  * Create negative cache
  * @param cfg: config options.
+ * @param maxiter: max nsec3 iterations allowed.
  * @return neg cache, empty or NULL on failure.
  */
-struct val_neg_cache* val_neg_create(struct config_file* cfg);
+struct val_neg_cache* val_neg_create(struct config_file* cfg, size_t maxiter);
 
 /**
  * see how much memory is in use by the negative cache.

diff --git a/validator/validator.c b/validator/validator.c
index bcc8a5b7edd357c1e22ee0510b69369e5891efaf..bd42d6f7fff6140468b436a45dab52540e347891 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -121,13 +121,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
                log_err("validator: error in trustanchors config");
                return 0;
        }
-       if(!val_env->neg_cache)
-               val_env->neg_cache = val_neg_create(cfg);
-       if(!val_env->neg_cache) {
-               log_err("out of memory");
-               return 0;
-       }
-       env->neg_cache = val_env->neg_cache;
        val_env->date_override = cfg->val_date_override;
        c = cfg_count_numbers(cfg->val_nsec3_key_iterations);
        if(c < 1 || (c&1)) {
@@ -140,6 +133,14 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
                log_err("validator: cannot apply nsec3 key iterations");
                return 0;
        }
+       if(!val_env->neg_cache)
+               val_env->neg_cache = val_neg_create(cfg,
+                       val_env->nsec3_maxiter[val_env->nsec3_keyiter_count-1]);
+       if(!val_env->neg_cache) {
+               log_err("out of memory");
+               return 0;
+       }
+       env->neg_cache = val_env->neg_cache;
        return 1;
 }