]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1e54e9b)
apply max-recursion-queries quota to validator queries
authorEvan Hunt <each@isc.org>
Wed, 22 May 2024 22:17:47 +0000 (15:17 -0700)
committerOndřej Surý <ondrej@isc.org>
Tue, 20 Aug 2024 17:35:07 +0000 (17:35 +0000)
previously, validator queries for DNSKEY and DS records were
not counted toward the quota for max-recursion-queries; they
are now.

(cherry picked from commit af7db8951364a89c468eda1535efb3f53adc2c1f)
(cherry picked from commit 18e39d989f5a716045cd6d99b3bdb7a2633a2db8)

lib/dns/include/dns/validator.h patch | blob | blame | history
lib/dns/resolver.c patch | blob | blame | history
lib/dns/validator.c patch | blob | blame | history

diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index c5d7a31a419d9f06a82041fdaf95c7985fd7ebcc..585a3fc35c90895ca2f5f99a80f66b3d47d65bfd 100644 (file)
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -145,12 +145,13 @@ struct dns_validator {
        dns_fixedname_t       wild;
        dns_fixedname_t       closest;
        ISC_LINK(dns_validator_t) link;
-       bool          mustbesecure;
-       unsigned int  depth;
-       unsigned int  authcount;
-       unsigned int  authfail;
-       bool          failed;
-       isc_stdtime_t start;
+       bool           mustbesecure;
+       unsigned int   depth;
+       unsigned int   authcount;
+       unsigned int   authfail;
+       bool           failed;
+       isc_stdtime_t  start;
+       isc_counter_t *qc;
 };
 
 /*%
@@ -168,7 +169,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
                     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
                     dns_message_t *message, unsigned int options,
                     isc_task_t *task, isc_taskaction_t action, void *arg,
-                    dns_validator_t **validatorp);
+                    isc_counter_t *qc, dns_validator_t **validatorp);
 /*%<
  * Start a DNSSEC validation.
  *
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 5dce41a98f5f0b7f2afb929183b1af43dfc3a146..dc96bbf3f394fa0b09f6beffd3476bd4fd2cb05a 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -933,7 +933,7 @@ valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo,
 
        result = dns_validator_create(fctx->res->view, name, type, rdataset,
                                      sigrdataset, message, valoptions, task,
-                                     validated, valarg, &validator);
+                                     validated, valarg, fctx->qc, &validator);
        if (result == ISC_R_SUCCESS) {
                inc_stats(fctx->res, dns_resstatscounter_val);
                if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 243b19f64e21c75c396eca5ab04410a8c3abbdc1..14b8aa4f2572f45fbdbac80692dcdf24230b1e66 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,6 +15,7 @@
 #include <stdbool.h>
 
 #include <isc/base32.h>
+#include <isc/counter.h>
 #include <isc/md.h>
 #include <isc/mem.h>
 #include <isc/print.h>
@@ -1091,7 +1092,7 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
        validator_logcreate(val, name, type, caller, "validator");
        result = dns_validator_create(val->view, name, type, rdataset, sig,
                                      NULL, vopts, val->task, action, val,
-                                     &val->subvalidator);
+                                     val->qc, &val->subvalidator);
        if (result == ISC_R_SUCCESS) {
                val->subvalidator->parent = val;
                val->subvalidator->depth = val->depth + 1;
@@ -3136,7 +3137,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
                     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
                     dns_message_t *message, unsigned int options,
                     isc_task_t *task, isc_taskaction_t action, void *arg,
-                    dns_validator_t **validatorp) {
+                    isc_counter_t *qc, dns_validator_t **validatorp) {
        isc_result_t result = ISC_R_FAILURE;
        dns_validator_t *val;
        isc_task_t *tclone = NULL;
@@ -3177,6 +3178,10 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
                goto cleanup;
        }
 
+       if (qc != NULL) {
+               isc_counter_attach(qc, &val->qc);
+       }
+
        val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
        dns_rdataset_init(&val->fdsset);
        dns_rdataset_init(&val->frdataset);
@@ -3281,6 +3286,9 @@ destroy(dns_validator_t *val) {
        if (val->siginfo != NULL) {
                isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
        }
+       if (val->qc != NULL) {
+               isc_counter_detach(&val->qc);
+       }
        isc_mutex_destroy(&val->lock);
        dns_view_weakdetach(&val->view);
        isc_mem_put(mctx, val, sizeof(*val));
Mirror of https://gitlab.isc.org/isc-projects/bind9.git