From: Mark Andrews <marka@isc.org>
Date: Thu, 26 Nov 2020 04:59:14 +0000 (+1100)
Subject: Adjust default value of "max-recursion-queries"
X-Git-Tag: v9.11.26~4^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d09991e4e9ff620595170cf41a6af1fa8efb989a;p=thirdparty%2Fbind9.git

Adjust default value of "max-recursion-queries"

Since the queries sent towards root and TLD servers are now included in
the count (as a result of the fix for CVE-2020-8616),
"max-recursion-queries" has a higher chance of being exceeded by
non-attack queries.  Increase its default value from 75 to 100.

(cherry picked from commit ab0bf492035c01687dfff8f546b78ac30739348c)
---

diff --git a/CHANGES b/CHANGES
index da22e43c64c..d281aaa4e2f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
+			100. [GL #2305]
+
 5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
 			[GL #2315]
 
diff --git a/bin/named/config.c b/bin/named/config.c
index bec90ab2f27..18710ab538a 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -185,7 +185,7 @@ options {\n\
 	max-clients-per-query 100;\n\
 	max-ncache-ttl 10800; /* 3 hours */\n\
 	max-recursion-depth 7;\n\
-	max-recursion-queries 75;\n\
+	max-recursion-queries 100;\n\
 	message-compression yes;\n\
 #	min-roots <obsolete>;\n\
 	minimal-any false;\n\
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c3156ca88ba..466a5295065 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9299,7 +9299,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  This sets the maximum number of iterative queries that
 		  may be sent while servicing a recursive query.
 		  If more queries are sent, the recursive query
-		  is terminated and returns SERVFAIL.  The default is 75.
+		  is terminated and returns SERVFAIL.  The default is 100.
 		</para>
 	      </listitem>
 	    </varlistentry>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 35b5c9ddc66..005f5a5c7eb 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -7115,7 +7115,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   This sets the maximum number of iterative queries that
                   may be sent while servicing a recursive query.
                   If more queries are sent, the recursive query
-                  is terminated and returns SERVFAIL.  The default is 75.
+                  is terminated and returns SERVFAIL.  The default is 100.
                 </p>
               </dd>
 <dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
diff --git a/doc/arm/notes-9.11.26.xml b/doc/arm/notes-9.11.26.xml
index 6e5c7facfd5..1499fc2a178 100644
--- a/doc/arm/notes-9.11.26.xml
+++ b/doc/arm/notes-9.11.26.xml
@@ -55,7 +55,14 @@
     <itemizedlist>
       <listitem>
         <para>
-          None.
+          Adjust the <command>max-recursion-queries</command> default
+          from 75 to 100. Since the queries sent towards root and
+          TLD servers are now included in the count (as a result
+          of the fix for CVE-2020-8616),
+          <command>max-recursion-queries</command> has a higher
+          chance of being exceeded by non-attack queries, which is
+          the main reason for increasing its default value. [GL
+          #2305]
         </para>
       </listitem>
     </itemizedlist>
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 320fc693417..8175f7918bc 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -169,8 +169,8 @@
 
 /* The default maximum number of iterative queries to allow before giving up. */
 #ifndef DEFAULT_MAX_QUERIES
-#define DEFAULT_MAX_QUERIES 75
-#endif
+#define DEFAULT_MAX_QUERIES 100
+#endif /* ifndef DEFAULT_MAX_QUERIES */
 
 /*
  * After NS_FAIL_LIMIT attempts to fetch a name server address,