From a29b2ad9081094a9781098d565113816555d321c Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 27 Apr 2010 14:15:19 +0000 Subject: [PATCH] Fix harden-referral-path so it does not generate lookup failures. git-svn-id: file:///svn/unbound/trunk@2101 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 3 +++ doc/unbound.conf.5.in | 2 ++ iterator/iterator.c | 6 ++++++ 3 files changed, 11 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 25321dade..116833486 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,9 @@ - unbound-control get_option domain-insecure shows config file items. - fix retry sequence if prime hints are recursion-lame. - autotrust anchor file can be initialized with a ZSK key as well. + - harden-referral-path does not result in failures due to max-depth. + You can increase the max-depth by adding numbers (' 0') after the + target-fetch-policy, this increases the depth to which is checked. 26 April 2010: Wouter - Compile fix using Sun Studio 12 compiler on Solaris 5.9, use diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index fbe374890..16a607c93 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -456,6 +456,8 @@ path to the answer. Default off, because it burdens the authority servers, and it is not RFC standard, and could lead to performance problems because of the extra query load that is generated. Experimental option. +If you enable it consider adding more numbers after the target\-fetch\-policy +to increase the max depth that is checked to. .TP .B use\-caps\-for\-id: \fI Use 0x20\-encoded random bits in the query to foil spoof attempts. diff --git a/iterator/iterator.c b/iterator/iterator.c index 08354e8f2..19b9a265c 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -695,12 +695,15 @@ static void generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq, int id) { + struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id]; struct module_qstate* subq; size_t i; struct reply_info* rep = iq->response->rep; struct ub_packed_rrset_key* s; log_assert(iq->dp); + if(iq->depth == ie->max_dependency_depth) + return; /* walk through additional, and check if in-zone, * only relevant A, AAAA are left after scrub anyway */ for(i=rep->an_numrrsets+rep->ns_numrrsets; irrset_count; i++) { @@ -746,9 +749,12 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq, static void generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id) { + struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id]; struct module_qstate* subq; log_assert(iq->dp); + if(iq->depth == ie->max_dependency_depth) + return; /* is this query the same as the nscheck? */ if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS && query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 && -- 2.47.2