implement udp-truncation-threshold to override the previous 1680 byte maximum respons...

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index d9f3f6f27739e717442f16e324fcb9178813b8a1..5ce0311265b577e1657d3dbb4ab49a26b6176e08 100644 (file)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -75,7 +75,7 @@ void declareArguments()
   ::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no"; 
   ::arg().set("allow-recursion","List of subnets that are allowed to recurse")="0.0.0.0/0";
   ::arg().set("pipebackend-abi-version","Version of the pipe backend ABI")="1";
-  
+  ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680";
   ::arg().set("disable-tcp","Do not listen to TCP queries")="no";
   ::arg().set("disable-axfr","Do not allow zone transfers")="no";
   
@@ -339,6 +339,7 @@ void mainthread()
    
    g_anyToTcp = ::arg().mustDo("any-to-tcp");
    g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind");
+   DNSPacket::s_udpTruncationThreshold = ::arg().asNum("udp-truncation-threshold");
    DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
    {
       std::vector<std::string> codes;

diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc
index 61e68851c6495b561e5a6b5322c37b4b0481cf99..ffdc808c11bb0b88ec25ee36367513dd31d30628 100644 (file)
--- a/pdns/dnspacket.cc
+++ b/pdns/dnspacket.cc
@@ -18,12 +18,9 @@
 
 #include "utility.hh"
 #include <cstdio>
-
 #include <cstdlib>
 #include <sys/types.h>
-
 #include <iostream>  
-
 #include <string>
 #include <errno.h>
 #include <boost/tokenizer.hpp>
@@ -46,6 +43,7 @@
 
 bool DNSPacket::s_doEDNSSubnetProcessing;
 std::vector<int> DNSPacket::s_ednssubnetcodes;
+uint16_t DNSPacket::s_udpTruncationThreshold;
  
 DNSPacket::DNSPacket() 
 {
@@ -502,7 +500,7 @@ try
 
   if(getEDNSOpts(mdp, &edo)) {
     d_haveednssection=true;
-    d_maxreplylen=std::min(edo.d_packetsize, (uint16_t)1680);
+    d_maxreplylen=std::min(edo.d_packetsize, s_udpTruncationThreshold);
 //    cerr<<edo.d_Z<<endl;
     if(edo.d_Z & EDNSOpts::DNSSECOK)
       d_dnssecOk=true;

diff --git a/pdns/dnspacket.hh b/pdns/dnspacket.hh
index 3850f4dff7c6ae95cb2d057fad053f852700a40a..60bec234ac10687f8e46911d6aec226e776c6f92 100644 (file)
--- a/pdns/dnspacket.hh
+++ b/pdns/dnspacket.hh
@@ -159,6 +159,7 @@ public:
   vector<DNSResourceRecord>& getRRS() { return d_rrs; }
   TSIGRecordContent d_trc;
   static bool s_doEDNSSubnetProcessing;
+  static uint16_t s_udpTruncationThreshold;
   static std::vector<int> s_ednssubnetcodes;
 private:
   void pasteQ(const char *question, int length); //!< set the question of this packet, useful for crafting replies

diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 43e31b0816004eb154abc98e63afe5b9c7386fe0..0e6492649ff7068600fc195e4404af8d50e34944 100644 (file)
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -15530,6 +15530,13 @@ This setting will make PowerDNS renotify the slaves after an AXFR is *received*
            <listitem><para>
                        IP address of incoming notification proxy
              </para></listitem></varlistentry>
+         <varlistentry><term>udp-truncation-threshold=...</term>
+           <listitem><para>
+               EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however
+               also have downsides in terms of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the truncation limit
+               was set at 1680 bytes, regardless of EDNS0 buffer size indications from the client. Beyond 3.3, this setting makes
+               our truncation limit configurable. Maximum value is 65535, but values above 4096 should probably not be attempted.
+             </para></listitem></varlistentry>
          <varlistentry><term>urlredirector=...</term>
            <listitem><para>
                Where we send hosts to that need to be url redirected. See <xref linkend="fancy-records"/>.