From: Otto Moerbeek Date: Fri, 3 Feb 2023 09:13:34 +0000 (+0100) Subject: Setting, based on estimated number of names in a zone. X-Git-Tag: dnsdist-1.8.0-rc1~37^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e4f20c78a90fe560b70815e63093600cc1acd8bb;p=thirdparty%2Fpdns.git Setting, based on estimated number of names in a zone. Zero means no NSEC3 entries in aggressive cache at all --- diff --git a/pdns/recursordist/aggressive_nsec.cc b/pdns/recursordist/aggressive_nsec.cc index fbd338a3f3..63cda6fa1f 100644 --- a/pdns/recursordist/aggressive_nsec.cc +++ b/pdns/recursordist/aggressive_nsec.cc @@ -265,6 +265,9 @@ bool AggressiveNSECCache::isSmallCoveringNSEC3(const DNSName& owner, const std:: void AggressiveNSECCache::insertNSEC(const DNSName& zone, const DNSName& owner, const DNSRecord& record, const std::vector>& signatures, bool nsec3) { + if (nsec3 && nsec3Disabled()) { + return; + } if (signatures.empty()) { return; } diff --git a/pdns/recursordist/aggressive_nsec.hh b/pdns/recursordist/aggressive_nsec.hh index b2b48083f9..46fb4cba0e 100644 --- a/pdns/recursordist/aggressive_nsec.hh +++ b/pdns/recursordist/aggressive_nsec.hh @@ -48,6 +48,11 @@ public: { } + static bool nsec3Disabled() + { + return s_maxNSEC3CommonPrefix == 0; + } + void insertNSEC(const DNSName& zone, const DNSName& owner, const DNSRecord& record, const std::vector>& signatures, bool nsec3); bool getDenial(time_t, const DNSName& name, const QType& type, std::vector& ret, int& res, const ComboAddress& who, const boost::optional& routingTag, bool doDNSSEC, const OptLog& log = std::nullopt); diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 31f0d43adf..16adaeda49 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -42,6 +42,21 @@ In this case the address ``128.66.1.2`` is excluded from the addresses allowed a The number of records to cache in the aggressive cache. If set to a value greater than 0, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in :rfc:`8198`. To use this, DNSSEC processing or validation must be enabled by setting `dnssec`_ to ``process``, ``log-fail`` or ``validate``. +.. _setting-aggressive-cache-max-nsec3-zone-size: + +``aggressive-cache-max-nsec3-zone-size`` +---------------------------------------- + +.. versionadded: 4.9.0 + +- Integer +- Default: 1000 + +The maximum (estimated) zone size (number of names) for which to put NSEC3 entries into the aggressive NSEC cache. +For large zones the effectiveness of the NSEC3 cache is reduced since the names are replaced by hashes, which are random by nature. +This setting avoids doing unneccesary work for such large zones. +A value of 0 means no NSEC3 records will be put into the aggressive cache. + .. _setting-allow-from: ``allow-from`` diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index 31b2bf1101..45ba78fb78 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -1713,6 +1713,10 @@ static int serviceMain(int argc, char* argv[], Logr::log_t log) } } + AggressiveNSECCache::s_maxNSEC3CommonPrefix = static_cast(std::round(std::log2(::arg().asNum("aggressive-cache-max-nsec3-zone-size")))); + SLOG(g_log << Logger::Debug << "NSEC3 aggressive cache tuning: aggressive-cache-max-nsec3-zone-size: " << ::arg().asNum("aggressive-cache-max-nsec3-zone-size") << " max common prefix bits: " << std::to_string(AggressiveNSECCache::s_maxNSEC3CommonPrefix) << endl, + log->info(Logr::Debug, "NSEC3 aggressive cache tuning", "aggressive-cache-max-nsec3-zone-size", Logging::Loggable(::arg().asNum("aggressive-cache-max-nsec3-zone-size")), "maxCommonPrefixBits", Logging::Loggable(AggressiveNSECCache::s_maxNSEC3CommonPrefix))); + { SuffixMatchNode dontThrottleNames; vector parts; @@ -2828,6 +2832,7 @@ int main(int argc, char** argv) ::arg().setSwitch("extended-resolution-errors", "If set, send an EDNS Extended Error extension on resolution failures, like DNSSEC validation errors") = "no"; ::arg().set("aggressive-nsec-cache-size", "The number of records to cache in the aggressive cache. If set to a value greater than 0, and DNSSEC processing or validation is enabled, the recursor will cache NSEC and NSEC3 records to generate negative answers, as defined in rfc8198") = "100000"; + ::arg().set("aggressive-cache-max-nsec3-zone-size", "The maximum estimated size of a zone to store NSEC3 records into the aggressive cache") = "2000"; ::arg().set("edns-padding-from", "List of netmasks (proxy IP in case of proxy-protocol presence, client IP otherwise) for which EDNS padding will be enabled in responses, provided that 'edns-padding-mode' applies") = ""; ::arg().set("edns-padding-mode", "Whether to add EDNS padding to all responses ('always') or only to responses for queries containing the EDNS padding option ('padded-queries-only', the default). In both modes, padding will only be added to responses for queries coming from `edns-padding-from`_ sources") = "padded-queries-only";