From: Otto Moerbeek Date: Fri, 18 Mar 2022 12:38:45 +0000 (+0100) Subject: Docs, and config switch (default off) X-Git-Tag: rec-4.7.0-beta1~44^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bb2408754b4eaa785f1d5af4d3c2f4346fafb05;p=thirdparty%2Fpdns.git Docs, and config switch (default off) --- diff --git a/pdns/recursordist/docs/appendices/internals.rst b/pdns/recursordist/docs/appendices/internals.rst index 66b75a26c9..1d7d46a993 100644 --- a/pdns/recursordist/docs/appendices/internals.rst +++ b/pdns/recursordist/docs/appendices/internals.rst @@ -445,6 +445,15 @@ new data should overwrite old data. Note that PowerDNS deviates from RFC 2181 (section 5.4.1) in this respect. +Starting with version 4.7.0, there is a mechanism to save the +parent NS set if it contains *more* names than the child NS set. +This allows fallback to the saved parent NS set on resolution errors +using the child specified NS set. +As experience shows, this configuration error is encountered in the +wild often enough to warrant this workaround. +See :ref:`setting-save-parent-ns-set`. + +  Some small things ------------------ diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 87adce2454..c68ec4cff6 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1698,6 +1698,18 @@ The effect of this is far fewer queries to the root-servers. Default is 'yes' now, was 'no' before 4.0.0 +.. _setting-save-parent-ns-set: + +``save-parent-ns-set`` +---------------------- +.. versionadded:: 4.7.0 + +- Boolean +- Default: yes + +If set, a parent (non-authoritative) ``NS`` set is saved if it contains more entries than a newly encountered child (authoritative) ``NS`` set for the same domain. +The saved parent ``NS`` set is tried if resolution using the child ``NS`` set fails. + .. _setting-security-poll-suffix: ``security-poll-suffix`` diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 3eb750d138..0bd399538a 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -18,6 +18,10 @@ If IPv6 is enabled for outgoing queries using :ref:`setting-query-local-address` These addresses will then be used for future queries to authoritative nameservers. This has the consequence that authoritative nameservers will be contacted over IPv6 in more case than before. +New settings +^^^^^^^^^^^^ +- The :ref:`settings-save-parent-ns-set` setting has been introduced, enabling fall-back cases if the parent ``NS`` set contains names not in the child ``NS`` set. + Deprecated and changed settings ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - The :ref:`setting-hint-file` gained a special value ``no`` to indicate that no hint file should not processed. The hint processing code is also made less verbose. diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index 0b1aa95889..9c65f9745a 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -1310,6 +1310,7 @@ static int serviceMain(int argc, char* argv[]) SyncRes::s_dot_to_port_853 = ::arg().mustDo("dot-to-port-853"); SyncRes::s_event_trace_enabled = ::arg().asNum("event-trace-enabled"); + SyncRes::s_save_parent_ns_set = ::arg().mustDo("save-parent-ns-set"); if (SyncRes::s_tcp_fast_open_connect) { checkFastOpenSysctl(true); @@ -2496,6 +2497,7 @@ int main(int argc, char** argv) ::arg().set("tcp-out-max-queries", "Maximum total number of queries per TCP/DoT connection, 0 means no limit") = "0"; ::arg().set("tcp-out-max-idle-per-thread", "Maximum number of idle TCP/DoT connections per thread") = "100"; ::arg().setSwitch("structured-logging", "Prefer structured logging") = "yes"; + ::arg().setSwitch("save-parent-ns-set", "Save parent NS set to be used if child NS set fails") = "yes"; ::arg().setCmd("help", "Provide a helpful message"); ::arg().setCmd("version", "Print version string"); diff --git a/pdns/syncres.cc b/pdns/syncres.cc index ab871984af..6a39c7ea16 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -145,6 +145,7 @@ int SyncRes::s_tcp_fast_open; bool SyncRes::s_tcp_fast_open_connect; bool SyncRes::s_dot_to_port_853; int SyncRes::s_event_trace_enabled; +bool SyncRes::s_save_parent_ns_set; #define LOG(x) if(d_lm == Log) { g_log <> fallBack; { @@ -3882,7 +3883,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr if (doCache) { // Check if we are going to replace a non-auth (parent) NS recordset - if (isAA && i->first.type == QType::NS) { + if (isAA && i->first.type == QType::NS && s_save_parent_ns_set) { rememberParentSetIfNeeded(i->first.name, i->second.records, depth); } g_recCache->replace(d_now.tv_sec, i->first.name, i->first.type, i->second.records, i->second.signatures, authorityRecs, i->first.type == QType::DS ? true : isAA, auth, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, d_routingTag, recordState, remoteIP); diff --git a/pdns/syncres.hh b/pdns/syncres.hh index 427869b54d..fb8c69dac8 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -815,7 +815,8 @@ public: static const int event_trace_to_pb = 1; static const int event_trace_to_log = 2; static int s_event_trace_enabled; - + static bool s_save_parent_ns_set; + std::unordered_map d_discardedPolicies; DNSFilterEngine::Policy d_appliedPolicy; std::unordered_set d_policyTags;