From: Evan Hunt <each@isc.org>
Date: Tue, 16 Dec 2014 06:28:26 +0000 (-0800)
Subject: [v9_10] adjust max-recursion-queries
X-Git-Tag: v9.10.2b1~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0e91083115c8a555e1d55acfeb230700f9eb1ff;p=thirdparty%2Fbind9.git

[v9_10] adjust max-recursion-queries

4021.	[bug]		Adjust max-recursion-queries to accommodate
			the need for more queries when the cache is
			empty. [RT #38104]

(cherry picked from commit be7fba80190c33b0e50f086509b42bb319bb95b4)
---

diff --git a/CHANGES b/CHANGES
index 030d276b3f9..8b5338049b5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4021.	[bug]		Adjust max-recursion-queries to accommodate 
+			the need for more queries when the cache is
+			empty. [RT #38104]
+
 4020.	[bug]		Change 3736 broke nsupdate's SOA MNAME discovery
 			resulting in updates being sent to the wrong server.
 			[RT #37925]
diff --git a/bin/named/config.c b/bin/named/config.c
index 8a611e6b4ac..404c383b687 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -169,7 +169,7 @@ options {\n\
 	clients-per-query 10;\n\
 	max-clients-per-query 100;\n\
 	max-recursion-depth 7;\n\
-	max-recursion-queries 50;\n\
+	max-recursion-queries 75;\n\
 	zero-no-soa-ttl-cache no;\n\
 	nsec3-test-zone no;\n\
 	allow-new-zones no;\n\
diff --git a/bin/tests/system/reclimit/ns3/named3.conf b/bin/tests/system/reclimit/ns3/named3.conf
index 2267699424a..d1c9ff676e2 100644
--- a/bin/tests/system/reclimit/ns3/named3.conf
+++ b/bin/tests/system/reclimit/ns3/named3.conf
@@ -26,6 +26,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	max-recursion-depth 100;
+	max-recursion-queries 50;
 };
 
 key rndc_key {
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a658282b2f3..96a86ef6596 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -8971,8 +8971,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  Sets the maximum number of iterative queries that
 		  may be sent while servicing a recursive query.
 		  If more queries are sent, the recursive query
-		  is terminated and returns SERVFAIL. The default
-		  is 50.
+		  is terminated and returns SERVFAIL. Queries to
+		  look up top level comains such as "com" and "net"
+		  and the DNS root zone are exempt from this limitation.
+		  The default is 75.
 		</para>
 	      </listitem>
 	    </varlistentry>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index fc35312ba06..4e62335577a 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -268,6 +268,13 @@
 	  rather than the SOA MNAME server when sending the UPDATE.
         </para>
       </listitem>
+      <listitem>
+        <para>
+	  Adjusted max-recursion-queries to accommodate the smaller
+	  initial packet sizes used in BIND 9.10 and higher when
+	  contacting authoritative servers for the first time.
+        </para>
+      </listitem>
     </itemizedlist>
   </sect2>
   <sect2 id="end_of_life">
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 2a45dadae49..51bac51f4c7 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -3893,11 +3893,11 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
 			goto out;
 		/* XXXMLG Don't pound on bad servers. */
 		if (address_type == DNS_ADBFIND_INET) {
-			name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
+			name->expire_v4 = ISC_MIN(name->expire_v4, now + 10);
 			name->fetch_err = FIND_ERR_FAILURE;
 			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
 		} else {
-			name->expire_v6 = ISC_MIN(name->expire_v6, now + 300);
+			name->expire_v6 = ISC_MIN(name->expire_v6, now + 10);
 			name->fetch6_err = FIND_ERR_FAILURE;
 			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
 		}
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 2f0c11b7a40..cc00c2a7fd5 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -144,7 +144,7 @@
 
 /* The default maximum number of iterative queries to allow before giving up. */
 #ifndef DEFAULT_MAX_QUERIES
-#define DEFAULT_MAX_QUERIES 50
+#define DEFAULT_MAX_QUERIES 75
 #endif
 
 /*%
@@ -3327,6 +3327,16 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
 
 	REQUIRE(!ADDRWAIT(fctx));
 
+	/* We've already exceeded maximum query count */
+	if (isc_counter_used(fctx->qc) > fctx->res->maxqueries) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			      "exceeded max queries resolving '%s'",
+			      fctx->info);
+		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+		return;
+	}
+
 	addrinfo = fctx_nextaddress(fctx);
 	if (addrinfo == NULL) {
 		/*
@@ -3364,14 +3374,16 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
 		}
 	}
 
-	result = isc_counter_increment(fctx->qc);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
-			      "exceeded max queries resolving '%s'",
-			      fctx->info);
-		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
-		return;
+	if (dns_name_countlabels(&fctx->domain) > 2) {
+		result = isc_counter_increment(fctx->qc);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+				      "exceeded max queries resolving '%s'",
+				      fctx->info);
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
 	}
 
 	result = fctx_query(fctx, addrinfo, fctx->options);