merge: implement udp-truncation-threshold to override the previous 1680 byte maximum...

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 41bfcaaee63b505bc63449786cd3b05c38e3c707..fb37f659733c40efcc757530ecd5b73ed818f5fd 100755 (executable)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -77,7 +77,7 @@ void declareArguments()
   ::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no"; 
   ::arg().set("allow-recursion","List of subnets that are allowed to recurse")="0.0.0.0/0";
   ::arg().set("pipebackend-abi-version","Version of the pipe backend ABI")="1";
-  
+  ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680";
   ::arg().set("disable-tcp","Do not listen to TCP queries")="no";
   ::arg().set("disable-axfr","Do not allow zone transfers")="no";
   
@@ -341,6 +341,7 @@ void mainthread()
    
    g_anyToTcp = ::arg().mustDo("any-to-tcp");
    g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind");
+   DNSPacket::s_udpTruncationThreshold = ::arg().asNum("udp-truncation-threshold");
    DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
    
 #ifndef WIN32

diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc
index 327ff15ddf71e5b59e883975c018115127196e91..5e4eae691c562bc51c2d36ea825d689acf5c3102 100644 (file)
--- a/pdns/dnspacket.cc
+++ b/pdns/dnspacket.cc
@@ -18,12 +18,9 @@
 
 #include "utility.hh"
 #include <cstdio>
-
 #include <cstdlib>
 #include <sys/types.h>
-
 #include <iostream>  
-
 #include <string>
 #include <errno.h>
 #include <boost/tokenizer.hpp>
@@ -45,7 +42,8 @@
 #include "ednssubnet.hh"
 
 bool DNSPacket::s_doEDNSSubnetProcessing;
-
+uint16_t DNSPacket::s_udpTruncationThreshold;
+ 
 DNSPacket::DNSPacket() 
 {
   d_wrapped=false;
@@ -495,7 +493,7 @@ try
 
   if(getEDNSOpts(mdp, &edo)) {
     d_haveednssection=true;
-    d_maxreplylen=std::min(edo.d_packetsize, (uint16_t)1680);
+    d_maxreplylen=std::min(edo.d_packetsize, s_udpTruncationThreshold);
 //    cerr<<edo.d_Z<<endl;
     if(edo.d_Z & EDNSOpts::DNSSECOK)
       d_dnssecOk=true;

diff --git a/pdns/dnspacket.hh b/pdns/dnspacket.hh
index 91c44bddec2258f3735d259321fc17d3098bbbd2..63e7a2a52519de2b0df2d8afabd28a1c93130cf0 100644 (file)
--- a/pdns/dnspacket.hh
+++ b/pdns/dnspacket.hh
@@ -158,6 +158,7 @@ public:
   vector<DNSResourceRecord>& getRRS() { return d_rrs; }
   TSIGRecordContent d_trc;
   static bool s_doEDNSSubnetProcessing;
+  static uint16_t s_udpTruncationThreshold;
 private:
   void pasteQ(const char *question, int length); //!< set the question of this packet, useful for crafting replies
 

diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 87d11b10b1f8643ec4c7a2ed744a0da1a1b9b485..54fcea6587ab0b6c6b05ad52b51ca688a994ca9c 100755 (executable)
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -15700,6 +15700,13 @@ This setting will make PowerDNS renotify the slaves after an AXFR is *received*
            <listitem><para>
                        IP address of incoming notification proxy
              </para></listitem></varlistentry>
+         <varlistentry><term>udp-truncation-threshold=...</term>
+           <listitem><para>
+               EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however
+               also have downsides in terms of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the truncation limit
+               was set at 1680 bytes, regardless of EDNS0 buffer size indications from the client. Beyond 3.3, this setting makes
+               our truncation limit configurable. Maximum value is 65535, but values above 4096 should probably not be attempted.
+             </para></listitem></varlistentry>
          <varlistentry><term>urlredirector=...</term>
            <listitem><para>
                Where we send hosts to that need to be url redirected. See <xref linkend="fancy-records"/>.