From: Ondřej Surý <ondrej@isc.org>
Date: Wed, 4 Mar 2026 16:25:28 +0000 (+0100)
Subject: chg: usr: Introduce max-delegation-servers configuration option
X-Git-Tag: v9.21.20~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2cb28d43eec68e314dd1aed30ab2d0f8c5048dc;p=thirdparty%2Fbind9.git

chg: usr: Introduce max-delegation-servers configuration option

Make the maximum number of processed delegation nameservers configurable
via the new 'max-delegation-servers' option (default: 13), replacing the
hardcoded NS_PROCESSING_LIMIT (20).

The default is reduced to 13 to precisely match the maximum number of
root servers that can fit into a classic 512-byte UDP payload.  This
provides a natural, historically sound cap that mitigates resource
exhaustion and amplification attacks from artificially inflated or
misconfigured delegations.

The configuration option is strictly bounded between 1 and 100 to ensure
resolver stability.

Merge branch 'ondrej/make-NS_PROCESSING_LIMIT-configurable' into 'main'

See merge request isc-projects/bind9!11607
---

d2cb28d43eec68e314dd1aed30ab2d0f8c5048dc