From: Evan Hunt <each@isc.org>
Date: Tue, 25 Jun 2024 21:39:58 +0000 (-0700)
Subject: reduce the max-recursion-queries default to 32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20060f87549a6e26e85af703afa82bca5c851472;p=thirdparty%2Fbind9.git

reduce the max-recursion-queries default to 32

the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.

(cherry picked from commit 7e3b425dc283df66df9c46002307ab676e10e4fd)
(cherry picked from commit a11367ade3f4ebd314c31a1ef45965e3859b5095)
---

diff --git a/bin/named/config.c b/bin/named/config.c
index d24e4f8a26e..d9e6be5bb48 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -185,7 +185,7 @@ options {\n\
 	max-clients-per-query 100;\n\
 	max-ncache-ttl 10800; /* 3 hours */\n\
 	max-recursion-depth 7;\n\
-	max-recursion-queries 100;\n\
+	max-recursion-queries 32;\n\
 	message-compression yes;\n\
 #	min-roots <obsolete>;\n\
 	minimal-any false;\n\
diff --git a/bin/tests/system/reclimit/ns3/named1.conf.in b/bin/tests/system/reclimit/ns3/named1.conf.in
index ff82fc85970..01ff6fa66e8 100644
--- a/bin/tests/system/reclimit/ns3/named1.conf.in
+++ b/bin/tests/system/reclimit/ns3/named1.conf.in
@@ -19,6 +19,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	servfail-ttl 0;
+	max-recursion-queries 50;
 	max-recursion-depth 12;
 };
 
diff --git a/bin/tests/system/resolver/ns1/named.conf.in b/bin/tests/system/resolver/ns1/named.conf.in
index 9c60f871508..63020e6db9d 100644
--- a/bin/tests/system/resolver/ns1/named.conf.in
+++ b/bin/tests/system/resolver/ns1/named.conf.in
@@ -27,6 +27,7 @@ options {
 	allow-query {!10.53.0.8; any; };
 	max-zone-ttl unlimited;
 	attach-cache "globalcache";
+	max-recursion-queries 50;
 };
 
 server 10.53.0.3 {
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index b949b8b553e..8221eb17968 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9297,10 +9297,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <listitem>
 		<para>
 		  This sets the maximum number of iterative queries that
-		  may be sent while servicing a recursive query.
-		  If more queries are sent, the recursive query
-		  is terminated and returns SERVFAIL.  The default is 100.
-		</para>
+		  may be sent by a resolver while looking up a single name.
+                  If more queries than this need to be sent before
+                  an answer is reached, then recursion is terminated
+		  and a SERVFAIL response is returned to the client.
+		  (Note: if the answer is a CNAME, then the subsequent
+		  lookup for the target of the CNAME is counted
+                  separately.) The default is 32.
+                </para>
 	      </listitem>
 	    </varlistentry>
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 41e0aa5b5a9..a4e4f4c6f6a 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -170,7 +170,7 @@
 
 /* The default maximum number of iterative queries to allow before giving up. */
 #ifndef DEFAULT_MAX_QUERIES
-#define DEFAULT_MAX_QUERIES 100
+#define DEFAULT_MAX_QUERIES 50
 #endif /* ifndef DEFAULT_MAX_QUERIES */
 
 /*