From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 26 Nov 2025 10:57:05 +0000 (+0100)
Subject: If we received a delegation, also sample NS set if size > s_maxnsperresolve
X-Git-Tag: rec-5.5.0-alpha0~17^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2458a792077cbb4cff06a977f5ff35b3cd5e65e;p=thirdparty%2Fpdns.git

If we received a delegation, also sample NS set if size > s_maxnsperresolve

Previously this was only done for NS sets retrieved fomr the record cache

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---

diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc
index e4ea06d98d..7cec0c96d8 100644
--- a/pdns/recursordist/syncres.cc
+++ b/pdns/recursordist/syncres.cc
@@ -5828,6 +5828,13 @@ bool SyncRes::processAnswer(unsigned int depth, const string& prefix, LWResult&
       nameservers.insert({nameserver, {{}, false}});
     }
     LOG("looping to them" << endl);
+    if (s_maxnsperresolve > 0 && nameservers.size() > s_maxnsperresolve) {
+      LOG(prefix << qname << "Reducing number of NS attempted to " << s_maxnsperresolve << endl);
+      NsSet selected;
+      std::sample(nameservers.cbegin(), nameservers.cend(), std::inserter(selected, selected.begin()), s_maxnsperresolve, pdns::dns_random_engine());
+      nameservers = std::move(selected);
+    }
+
     *gotNewServers = true;
     auth = std::move(newauth);
 
@@ -5881,6 +5888,7 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con
     if (rnameservers.size() > nsLimit) {
       int newLimit = static_cast<int>(nsLimit - (rnameservers.size() - nsLimit));
       nsLimit = std::max(5, newLimit);
+      LOG("Applying nsLimit " << nsLimit << endl);
     }
 
     for (auto tns = rnameservers.cbegin();; ++tns) {
diff --git a/pdns/recursordist/test-syncres_cc2.cc b/pdns/recursordist/test-syncres_cc2.cc
index 32a80fb38c..ebf3c7aecb 100644
--- a/pdns/recursordist/test-syncres_cc2.cc
+++ b/pdns/recursordist/test-syncres_cc2.cc
@@ -1591,9 +1591,9 @@ BOOST_AUTO_TEST_CASE(test_completely_flawed_big_nsset)
   }
   catch (const ImmediateServFailException& ex) {
     BOOST_CHECK_EQUAL(ret.size(), 0U);
-    // one query to get NSs, then A and AAAA for each NS, 5th NS hits the limit
-    // limit is reduced to 5, because zone publishes many (20) NS
-    BOOST_CHECK_EQUAL(queriesCount, 11U);
+    // one query to get NSs, then A and AAAA for each NS, 7th NS hits the limit
+    // limit is reduced to 7, because zone publishes many (20, but actually reduced to 13 used) NS
+    BOOST_CHECK_EQUAL(queriesCount, 15U);
   }
 }