From: Evan Hunt Date: Wed, 26 Jun 2024 06:49:00 +0000 (-0700) Subject: implement 'max-query-restarts' X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88b02280b9c70192c71fcde535e0dd7a0808a999;p=thirdparty%2Fbind9.git implement 'max-query-restarts' implement, document, and test the 'max-query-restarts' option which specifies the query restart limit - the number of times we can follow CNAMEs before terminating resolution. (cherry picked from commit 104f3b82fb7c7cd03edc36507b167cfc6e11d17c) (cherry picked from commit 2e04f0380c5af65661ee906ffc0730e6ea8040aa) --- diff --git a/bin/named/config.c b/bin/named/config.c index d9e6be5bb48..445d0d7f570 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -186,6 +186,7 @@ options {\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ max-recursion-queries 32;\n\ + max-query-restarts 11;\n\ message-compression yes;\n\ # min-roots ;\n\ minimal-any false;\n\ diff --git a/bin/named/server.c b/bin/named/server.c index 9826588e6dd..5125ad7ab93 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4555,8 +4555,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj)); obj = NULL; - result = ns_config_get(maps, "fetches-per-zone", &obj); + result = ns_config_get(maps, "max-query-restarts", &obj); INSIST(result == ISC_R_SUCCESS); + dns_view_setmaxrestarts(view, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "fetches-per-zone", &obj); obj2 = cfg_tuple_get(obj, "fetches"); dns_resolver_setfetchesperzone(view->resolver, cfg_obj_asuint32(obj2)); obj2 = cfg_tuple_get(obj, "response"); diff --git a/bin/tests/system/chain/ns7/named.conf.in b/bin/tests/system/chain/ns7/named.conf.in index 48a8aacba27..6e1e29864cf 100644 --- a/bin/tests/system/chain/ns7/named.conf.in +++ b/bin/tests/system/chain/ns7/named.conf.in @@ -33,11 +33,28 @@ key rndc_key { algorithm hmac-sha256; }; +key restart16 { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + controls { inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; -zone "." { - type hint; - file "root.hint"; +view restart16 { + match-clients { key restart16; none; }; + max-query-restarts 16; + + zone "." { + type hint; + file "root.hint"; + }; +}; + +view default { + zone "." { + type hint; + file "root.hint"; + }; }; diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh index 9e25346fd97..b0f47ae0ff1 100644 --- a/bin/tests/system/chain/tests.sh +++ b/bin/tests/system/chain/tests.sh @@ -126,9 +126,13 @@ n=`expr $n + 1` echo_i "checking CNAME loops are detected ($n)" ret=0 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i -$DIG $DIGOPTS @10.53.0.7 loop.example > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 12" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.1.test$n +grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1 +grep "ANSWER: 12" dig.out.1.test$n >/dev/null || ret=1 +# also check with max-query-restarts 16: +$DIG $DIGOPTS @10.53.0.7 -y "hmac-sha256:restart16:1234abcd8765" loop.example >dig.out.2.test$n +grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1 +grep "ANSWER: 17" dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index 2282f8775af..a4e1c5cf112 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -64,6 +64,7 @@ options { serial-query-rate 100; server-id none; max-cache-size 20000000000000; + max-query-restarts 10; nta-lifetime 604800; nta-recheck 604800; transfer-source 0.0.0.0 dscp 63; @@ -84,6 +85,7 @@ view "first" { file "yyy"; }; dnssec-validation auto; + max-query-restarts 15; zone-statistics terse; }; view "second" { diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 8221eb17968..5c45daa0037 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -9308,6 +9308,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; + + max-query-restarts + + + This sets the maximum number of successive CNAME targets to + follow when resolving a client query, before + terminating the query to avoid a CNAME loop. + Valid values are 1 to 255. The default is 11. + + + + notify-delay diff --git a/doc/misc/options b/doc/misc/options index e11beed292d..88a59bab2bd 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -219,6 +219,7 @@ options { max-ixfr-log-size ( default | unlimited | ); // obsolete max-journal-size ( unlimited | ); max-ncache-ttl ; + max-query-restarts ; max-records ; max-recursion-depth ; max-recursion-queries ; @@ -534,6 +535,7 @@ view [ ] { max-ixfr-log-size ( default | unlimited | ); // obsolete max-journal-size ( unlimited | ); max-ncache-ttl ; + max-query-restarts ; max-records ; max-recursion-depth ; max-recursion-queries ; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index f9908607574..b562869a183 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1519,6 +1519,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, } } + obj = NULL; + (void)cfg_map_get(options, "max-query-restarts", &obj); + if (obj != NULL) { + uint32_t restarts = cfg_obj_asuint32(obj); + if (restarts == 0 || restarts > 255) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'max-query-restarts' is out of " + "range 1..255)"); + if (result == ISC_R_SUCCESS) { + result = ISC_R_RANGE; + } + } + } + return (result); } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index e74c93b9d9e..5d376a5711b 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1778,6 +1778,7 @@ view_clauses[] = { { "max-ncache-ttl", &cfg_type_uint32, 0 }, { "max-recursion-depth", &cfg_type_uint32, 0 }, { "max-recursion-queries", &cfg_type_uint32, 0 }, + { "max-query-restarts", &cfg_type_uint32, 0 }, { "max-udp-size", &cfg_type_uint32, 0 }, { "message-compression", &cfg_type_boolean, 0 }, { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },