Adjust default value of "max-recursion-queries"

Since the queries sent towards root and TLD servers are now included in
the count (as a result of the fix for CVE-2020-8616),
"max-recursion-queries" has a higher chance of being exceeded by
non-attack queries.  Increase its default value from 75 to 100.

(cherry picked from commit ab0bf492035c01687dfff8f546b78ac30739348c)

diff --git a/CHANGES b/CHANGES
index da22e43c64c2196fe142d89d4d2a3fa791f769e9..d281aaa4e2f1a367507fe1e230e2c0621f5348b5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5541.  [func]          Adjust the "max-recursion-queries" default from 75 to
+                       100. [GL #2305]
+
 5540.  [port]          Fix building with native PKCS#11 support for AEP Keyper.
                        [GL #2315]
 

diff --git a/bin/named/config.c b/bin/named/config.c
index bec90ab2f27d38e5e8bee8fdbe06f3954bb091ca..18710ab538a363fd6ac8820f64a33ffe217a5878 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -185,7 +185,7 @@ options {\n\
        max-clients-per-query 100;\n\
        max-ncache-ttl 10800; /* 3 hours */\n\
        max-recursion-depth 7;\n\
-       max-recursion-queries 75;\n\
+       max-recursion-queries 100;\n\
        message-compression yes;\n\
 #      min-roots <obsolete>;\n\
        minimal-any false;\n\

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c3156ca88bab19dc12c2c7f58a34265de4a031d8..466a529506557881523c63d7d1b25c980d4ea134 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9299,7 +9299,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                  This sets the maximum number of iterative queries that
                  may be sent while servicing a recursive query.
                  If more queries are sent, the recursive query
-                 is terminated and returns SERVFAIL.  The default is 75.
+                 is terminated and returns SERVFAIL.  The default is 100.
                </para>
              </listitem>
            </varlistentry>

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 35b5c9ddc66adb17e575d525c652f944f1eb0642..005f5a5c7eb2588357e14e380924659c2e3aaae9 100644 (file)
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -7115,7 +7115,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   This sets the maximum number of iterative queries that
                   may be sent while servicing a recursive query.
                   If more queries are sent, the recursive query
-                  is terminated and returns SERVFAIL.  The default is 75.
+                  is terminated and returns SERVFAIL.  The default is 100.
                 </p>
               </dd>
 <dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>

diff --git a/doc/arm/notes-9.11.26.xml b/doc/arm/notes-9.11.26.xml
index 6e5c7facfd54efc2eef39411e79e69ba1da7aad8..1499fc2a178b43e55cf2aff22205697a4e59808f 100644 (file)
--- a/doc/arm/notes-9.11.26.xml
+++ b/doc/arm/notes-9.11.26.xml
@@ -55,7 +55,14 @@
     <itemizedlist>
       <listitem>
         <para>
-          None.
+          Adjust the <command>max-recursion-queries</command> default
+          from 75 to 100. Since the queries sent towards root and
+          TLD servers are now included in the count (as a result
+          of the fix for CVE-2020-8616),
+          <command>max-recursion-queries</command> has a higher
+          chance of being exceeded by non-attack queries, which is
+          the main reason for increasing its default value. [GL
+          #2305]
         </para>
       </listitem>
     </itemizedlist>

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 320fc693417609caf57be99d461bca5b6a7b2a4a..8175f7918bcfff7a2b9bbad2256cedda0019d558 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -169,8 +169,8 @@
 
 /* The default maximum number of iterative queries to allow before giving up. */
 #ifndef DEFAULT_MAX_QUERIES
-#define DEFAULT_MAX_QUERIES 75
-#endif
+#define DEFAULT_MAX_QUERIES 100
+#endif /* ifndef DEFAULT_MAX_QUERIES */
 
 /*
  * After NS_FAIL_LIMIT attempts to fetch a name server address,