From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Fri, 29 Nov 2019 16:03:41 +0000 (+0100)
Subject: iterate: reduce CNAME length limit: 40 -> 13
X-Git-Tag: v4.3.0~2^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fbd5baf3ce74b5b15241cd4a002b9d03e6d1033;p=thirdparty%2Fknot-resolver.git

iterate: reduce CNAME length limit: 40 -> 13

Unbound has limit 10, and practically useful numbers are way lower.
---

diff --git a/NEWS b/NEWS
index 3618d8030..2a7aa2782 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ Improvements
 - watchdog module: support testing a DNS query (and switch C -> lua; !878)
 - performance: use sendmmsg syscall towards clients by default (!877)
 - daemon now attempts to drop all capabilities (!896)
+- reduce CNAME chain length limit - now <= 12 (!899)
 
 
 Knot Resolver 4.2.2 (2019-10-07)
diff --git a/lib/defines.h b/lib/defines.h
index 37750c59a..f49e974df 100644
--- a/lib/defines.h
+++ b/lib/defines.h
@@ -61,7 +61,7 @@ static inline int KR_COLD kr_error(int x) {
 #define KR_CONN_RETRY 200    /* Retry interval for network activity */
 #define KR_ITER_LIMIT 100    /* Built-in iterator limit */
 #define KR_RESOLVE_TIME_LIMIT 10000 /* Upper limit for resolution time of single query, ms */
-#define KR_CNAME_CHAIN_LIMIT 40 /* Built-in maximum CNAME chain length */
+#define KR_CNAME_CHAIN_LIMIT 13 /* Built-in maximum CNAME chain length */
 #define KR_TIMEOUT_LIMIT 4   /* Maximum number of retries after timeout. */
 #define KR_QUERY_NSRETRY_LIMIT 4 /* Maximum number of retries per query. */