From: Kees Monshouwer Date: Fri, 12 Jul 2013 17:44:23 +0000 (+0200) Subject: merge: implement udp-truncation-threshold to override the previous 1680 byte maximum... X-Git-Tag: rec-3.6.0-rc1~556^2~3^2~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d87ded35d9b0694790bafa7957e593e62bd6eb34;p=thirdparty%2Fpdns.git merge: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it. --- diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index 41bfcaaee6..fb37f65973 100755 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -77,7 +77,7 @@ void declareArguments() ::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no"; ::arg().set("allow-recursion","List of subnets that are allowed to recurse")="0.0.0.0/0"; ::arg().set("pipebackend-abi-version","Version of the pipe backend ABI")="1"; - + ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680"; ::arg().set("disable-tcp","Do not listen to TCP queries")="no"; ::arg().set("disable-axfr","Do not allow zone transfers")="no"; @@ -341,6 +341,7 @@ void mainthread() g_anyToTcp = ::arg().mustDo("any-to-tcp"); g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind"); + DNSPacket::s_udpTruncationThreshold = ::arg().asNum("udp-truncation-threshold"); DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing"); #ifndef WIN32 diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc index 327ff15ddf..5e4eae691c 100644 --- a/pdns/dnspacket.cc +++ b/pdns/dnspacket.cc @@ -18,12 +18,9 @@ #include "utility.hh" #include - #include #include - #include - #include #include #include @@ -45,7 +42,8 @@ #include "ednssubnet.hh" bool DNSPacket::s_doEDNSSubnetProcessing; - +uint16_t DNSPacket::s_udpTruncationThreshold; + DNSPacket::DNSPacket() { d_wrapped=false; @@ -495,7 +493,7 @@ try if(getEDNSOpts(mdp, &edo)) { d_haveednssection=true; - d_maxreplylen=std::min(edo.d_packetsize, (uint16_t)1680); + d_maxreplylen=std::min(edo.d_packetsize, s_udpTruncationThreshold); // cerr<& getRRS() { return d_rrs; } TSIGRecordContent d_trc; static bool s_doEDNSSubnetProcessing; + static uint16_t s_udpTruncationThreshold; private: void pasteQ(const char *question, int length); //!< set the question of this packet, useful for crafting replies diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index 87d11b10b1..54fcea6587 100755 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -15700,6 +15700,13 @@ This setting will make PowerDNS renotify the slaves after an AXFR is *received* IP address of incoming notification proxy + udp-truncation-threshold=... + + EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however + also have downsides in terms of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the truncation limit + was set at 1680 bytes, regardless of EDNS0 buffer size indications from the client. Beyond 3.3, this setting makes + our truncation limit configurable. Maximum value is 65535, but values above 4096 should probably not be attempted. + urlredirector=... Where we send hosts to that need to be url redirected. See .