From: Evan Hunt Date: Wed, 26 Jun 2024 06:49:00 +0000 (-0700) Subject: implement 'max-query-restarts' X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e0643a6dc9fbebca386467dec6f92dd4949c5fc;p=thirdparty%2Fbind9.git implement 'max-query-restarts' implement, document, and test the 'max-query-restarts' option which specifies the query restart limit - the number of times we can follow CNAMEs before terminating resolution. (cherry picked from commit 104f3b82fb7c7cd03edc36507b167cfc6e11d17c) (cherry picked from commit 2e04f0380c5af65661ee906ffc0730e6ea8040aa) --- diff --git a/bin/named/config.c b/bin/named/config.c index ff3f272d266..52c8155c341 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -168,6 +168,7 @@ options {\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ max-recursion-queries 32;\n\ + max-query-restarts 11;\n\ max-stale-ttl 86400; /* 1 day */\n\ message-compression yes;\n\ min-ncache-ttl 0; /* 0 hours */\n\ diff --git a/bin/named/server.c b/bin/named/server.c index 1926dc651a1..444bb9be059 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -5480,6 +5480,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, INSIST(result == ISC_R_SUCCESS); dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj)); + obj = NULL; + result = named_config_get(maps, "max-query-restarts", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_view_setmaxrestarts(view, cfg_obj_asuint32(obj)); + obj = NULL; result = named_config_get(maps, "fetches-per-zone", &obj); INSIST(result == ISC_R_SUCCESS); diff --git a/bin/tests/system/chain/ns7/named.conf.in b/bin/tests/system/chain/ns7/named.conf.in index 31ca3ef5322..a531fe29b7e 100644 --- a/bin/tests/system/chain/ns7/named.conf.in +++ b/bin/tests/system/chain/ns7/named.conf.in @@ -35,11 +35,28 @@ key rndc_key { algorithm hmac-sha256; }; +key restart16 { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + controls { inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -zone "." { - type hint; - file "root.hint"; +view restart16 { + match-clients { key restart16; none; }; + max-query-restarts 16; + + zone "." { + type hint; + file "root.hint"; + }; +}; + +view default { + zone "." { + type hint; + file "root.hint"; + }; }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index 0ecdb68e95a..9671641fbb4 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -79,6 +79,7 @@ options { check-names primary warn; check-names secondary ignore; max-cache-size 20000000000000; + max-query-restarts 10; nta-lifetime 604800; nta-recheck 604800; validate-except { @@ -111,6 +112,7 @@ view "first" { max-ixfr-ratio unlimited; }; dnssec-validation auto; + max-query-restarts 15; zone-statistics terse; }; view "second" { diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 9127dc0d9a2..991ee467d33 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3700,6 +3700,11 @@ Tuning is a CNAME, then the subsequent lookup for the target of the CNAME is counted separately.) The default is 32. +``max-query-restarts`` + This sets the maximum number of successive CNAME targets to follow + when resolving a client query, before terminating the query to avoid a + CNAME loop. Valid values are 1 to 255. The default is 11. + ``notify-delay`` This sets the delay, in seconds, between sending sets of NOTIFY messages for a zone. Whenever a NOTIFY message is sent for a zone, a timer will diff --git a/doc/misc/options b/doc/misc/options index 7a3b77171f7..87e438005b4 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -242,6 +242,7 @@ options { max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; + max-query-restarts ; max-records ; max-records-per-type ; max-recursion-depth ; @@ -624,6 +625,7 @@ view [ ] { max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; + max-query-restarts ; max-records ; max-records-per-type ; max-recursion-depth ; diff --git a/doc/misc/options.active b/doc/misc/options.active index 8fa18a75d89..6f384216e30 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -216,6 +216,7 @@ options { max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; + max-query-restarts ; max-records ; max-records-per-type ; max-recursion-depth ; @@ -561,6 +562,7 @@ view [ ] { max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; + max-query-restarts ; max-records ; max-records-per-type ; max-recursion-depth ; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index ee64543ab8b..db87964ce05 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1781,6 +1781,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } } + obj = NULL; + (void)cfg_map_get(options, "max-query-restarts", &obj); + if (obj != NULL) { + uint32_t restarts = cfg_obj_asuint32(obj); + if (restarts == 0 || restarts > 255) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'max-query-restarts' is out of " + "range 1..255)"); + if (result == ISC_R_SUCCESS) { + result = ISC_R_RANGE; + } + } + } + return (result); } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 69525dcc902..232a309418b 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2059,6 +2059,7 @@ static cfg_clausedef_t view_clauses[] = { { "max-ncache-ttl", &cfg_type_duration, 0 }, { "max-recursion-depth", &cfg_type_uint32, 0 }, { "max-recursion-queries", &cfg_type_uint32, 0 }, + { "max-query-restarts", &cfg_type_uint32, 0 }, { "max-stale-ttl", &cfg_type_duration, 0 }, { "max-udp-size", &cfg_type_uint32, 0 }, { "message-compression", &cfg_type_boolean, 0 },