From: Aram Sargsyan <aram@isc.org>
Date: Wed, 27 Aug 2025 15:25:43 +0000 (+0000)
Subject: Log the servfail-until-ready message not faster than once per second
X-Git-Tag: v9.21.12~3^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1962857ac4a306c99799a730aab2996ea1d46e72;p=thirdparty%2Fbind9.git

Log the servfail-until-ready message not faster than once per second

Since the log level has been raised, busy servers can "explode" from
the amount of log messages. Use the usual practice of logging "every
once in a while".
---

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 11b9ee02145..99f742a2929 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -20,6 +20,7 @@
 #include <string.h>
 
 #include <isc/async.h>
+#include <isc/atomic.h>
 #include <isc/counter.h>
 #include <isc/hex.h>
 #include <isc/list.h>
@@ -208,6 +209,20 @@ client_trace(ns_client_t *client, int level, const char *message) {
 	} while (0)
 #define RESTORE(a, b) SAVE(a, b)
 
+static atomic_uint_fast32_t last_rpznotready_log = 0;
+
+static bool
+can_log_rpznotready(void) {
+	isc_stdtime_t last;
+	isc_stdtime_t now = isc_stdtime_now();
+	last = atomic_exchange_relaxed(&last_rpznotready_log, now);
+	if (now != last) {
+		return true;
+	}
+
+	return false;
+}
+
 static bool
 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
@@ -4007,9 +4022,12 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 		/* Do not pollute SERVFAIL cache  */
 		client->inner.attributes |= NS_CLIENTATTR_NOSETFC;
 
-		rpz_log_fail(client, DNS_RPZ_INFO_LEVEL, NULL,
-			     DNS_RPZ_TYPE_QNAME, "RPZ servfail-until-ready",
-			     DNS_R_WAIT);
+		if (can_log_rpznotready()) {
+			rpz_log_fail(client, DNS_RPZ_INFO_LEVEL, NULL,
+				     DNS_RPZ_TYPE_QNAME,
+				     "RPZ servfail-until-ready", DNS_R_WAIT);
+		}
+
 		st->m.policy = DNS_RPZ_POLICY_ERROR;
 		goto cleanup;
 	}