From: Evan Hunt Date: Wed, 22 May 2024 22:17:47 +0000 (-0700) Subject: apply max-recursion-queries quota to validator queries X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f89f8af34a30de1267a1ba5d03bc109eef3425bc;p=thirdparty%2Fbind9.git apply max-recursion-queries quota to validator queries previously, validator queries for DNSKEY and DS records were not counted toward the quota for max-recursion-queries; they are now. (cherry picked from commit af7db8951364a89c468eda1535efb3f53adc2c1f) (cherry picked from commit 18e39d989f5a716045cd6d99b3bdb7a2633a2db8) --- diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index c5d7a31a419..585a3fc35c9 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -145,12 +145,13 @@ struct dns_validator { dns_fixedname_t wild; dns_fixedname_t closest; ISC_LINK(dns_validator_t) link; - bool mustbesecure; - unsigned int depth; - unsigned int authcount; - unsigned int authfail; - bool failed; - isc_stdtime_t start; + bool mustbesecure; + unsigned int depth; + unsigned int authcount; + unsigned int authfail; + bool failed; + isc_stdtime_t start; + isc_counter_t *qc; }; /*% @@ -168,7 +169,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_message_t *message, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, - dns_validator_t **validatorp); + isc_counter_t *qc, dns_validator_t **validatorp); /*%< * Start a DNSSEC validation. * diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 5dce41a98f5..dc96bbf3f39 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -933,7 +933,7 @@ valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo, result = dns_validator_create(fctx->res->view, name, type, rdataset, sigrdataset, message, valoptions, task, - validated, valarg, &validator); + validated, valarg, fctx->qc, &validator); if (result == ISC_R_SUCCESS) { inc_stats(fctx->res, dns_resstatscounter_val); if ((valoptions & DNS_VALIDATOR_DEFER) == 0) { diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 243b19f64e2..14b8aa4f257 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,6 +15,7 @@ #include #include +#include #include #include #include @@ -1091,7 +1092,7 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, validator_logcreate(val, name, type, caller, "validator"); result = dns_validator_create(val->view, name, type, rdataset, sig, NULL, vopts, val->task, action, val, - &val->subvalidator); + val->qc, &val->subvalidator); if (result == ISC_R_SUCCESS) { val->subvalidator->parent = val; val->subvalidator->depth = val->depth + 1; @@ -3136,7 +3137,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_message_t *message, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, - dns_validator_t **validatorp) { + isc_counter_t *qc, dns_validator_t **validatorp) { isc_result_t result = ISC_R_FAILURE; dns_validator_t *val; isc_task_t *tclone = NULL; @@ -3177,6 +3178,10 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, goto cleanup; } + if (qc != NULL) { + isc_counter_attach(qc, &val->qc); + } + val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name); dns_rdataset_init(&val->fdsset); dns_rdataset_init(&val->frdataset); @@ -3281,6 +3286,9 @@ destroy(dns_validator_t *val) { if (val->siginfo != NULL) { isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo)); } + if (val->qc != NULL) { + isc_counter_detach(&val->qc); + } isc_mutex_destroy(&val->lock); dns_view_weakdetach(&val->view); isc_mem_put(mctx, val, sizeof(*val));