From: bert hubert Date: Fri, 12 Jul 2013 09:03:24 +0000 (+0200) Subject: implement udp-truncation-threshold to override the previous 1680 byte maximum respons... X-Git-Tag: rec-3.6.0-rc1~572 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15668f6a14600220bb6d59bc8013d38318927bc2;p=thirdparty%2Fpdns.git implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it. --- diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index d9f3f6f277..5ce0311265 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -75,7 +75,7 @@ void declareArguments() ::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no"; ::arg().set("allow-recursion","List of subnets that are allowed to recurse")="0.0.0.0/0"; ::arg().set("pipebackend-abi-version","Version of the pipe backend ABI")="1"; - + ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680"; ::arg().set("disable-tcp","Do not listen to TCP queries")="no"; ::arg().set("disable-axfr","Do not allow zone transfers")="no"; @@ -339,6 +339,7 @@ void mainthread() g_anyToTcp = ::arg().mustDo("any-to-tcp"); g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind"); + DNSPacket::s_udpTruncationThreshold = ::arg().asNum("udp-truncation-threshold"); DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing"); { std::vector codes; diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc index 61e68851c6..ffdc808c11 100644 --- a/pdns/dnspacket.cc +++ b/pdns/dnspacket.cc @@ -18,12 +18,9 @@ #include "utility.hh" #include - #include #include - #include - #include #include #include @@ -46,6 +43,7 @@ bool DNSPacket::s_doEDNSSubnetProcessing; std::vector DNSPacket::s_ednssubnetcodes; +uint16_t DNSPacket::s_udpTruncationThreshold; DNSPacket::DNSPacket() { @@ -502,7 +500,7 @@ try if(getEDNSOpts(mdp, &edo)) { d_haveednssection=true; - d_maxreplylen=std::min(edo.d_packetsize, (uint16_t)1680); + d_maxreplylen=std::min(edo.d_packetsize, s_udpTruncationThreshold); // cerr<& getRRS() { return d_rrs; } TSIGRecordContent d_trc; static bool s_doEDNSSubnetProcessing; + static uint16_t s_udpTruncationThreshold; static std::vector s_ednssubnetcodes; private: void pasteQ(const char *question, int length); //!< set the question of this packet, useful for crafting replies diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index 43e31b0816..0e6492649f 100644 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -15530,6 +15530,13 @@ This setting will make PowerDNS renotify the slaves after an AXFR is *received* IP address of incoming notification proxy + udp-truncation-threshold=... + + EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however + also have downsides in terms of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the truncation limit + was set at 1680 bytes, regardless of EDNS0 buffer size indications from the client. Beyond 3.3, this setting makes + our truncation limit configurable. Maximum value is 65535, but values above 4096 should probably not be attempted. + urlredirector=... Where we send hosts to that need to be url redirected. See .