From 32af7299ebc116146b87e9c2316de6b62d24cec2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Fri, 1 Mar 2024 08:26:07 +0100 Subject: [PATCH 01/19] Add a limit to the number of RRs in RRSets Previously, the number of RRs in the RRSets were internally unlimited. As the data structure that holds the RRs is just a linked list, and there are places where we just walk through all of the RRs, adding an RRSet with huge number of RRs inside would slow down processing of said RRSets. Add a configurable limit to cap the number of the RRs in a single RRSet. This is enforced at the database (rbtdb, qpzone, qpcache) level and configured with new max-records-per-type configuration option that can be configured globally, per-view and per-zone. --- bin/named/config.c | 1 + bin/named/server.c | 9 +++++++ bin/named/zoneconf.c | 8 ++++++ bin/tests/system/doth/ns2/named.conf.in | 1 + bin/tests/system/doth/ns3/named.conf.in | 1 + bin/tests/system/doth/ns4/named.conf.in | 1 + bin/tests/system/doth/ns5/named.conf.in | 1 + doc/arm/reference.rst | 15 +++++++++++ doc/misc/mirror.zoneopt | 1 + doc/misc/options | 2 ++ doc/misc/primary.zoneopt | 1 + doc/misc/redirect.zoneopt | 1 + doc/misc/secondary.zoneopt | 1 + doc/misc/static-stub.zoneopt | 1 + doc/misc/stub.zoneopt | 1 + lib/dns/cache.c | 12 +++++++++ lib/dns/db.c | 9 +++++++ lib/dns/include/dns/cache.h | 6 +++++ lib/dns/include/dns/db.h | 9 +++++++ lib/dns/include/dns/rdataslab.h | 6 +++-- lib/dns/include/dns/view.h | 7 ++++++ lib/dns/include/dns/zone.h | 13 ++++++++++ lib/dns/qpcache.c | 33 ++++++++++++++++++------- lib/dns/qpzone.c | 22 ++++++++++++++--- lib/dns/rbt-cachedb.c | 1 + lib/dns/rbt-zonedb.c | 4 ++- lib/dns/rbtdb.c | 33 ++++++++++++++++--------- lib/dns/rbtdb_p.h | 7 ++++++ lib/dns/rdataslab.c | 14 +++++++++-- lib/dns/view.c | 11 +++++++++ lib/dns/zone.c | 14 +++++++++++ lib/isccfg/namedconf.c | 3 +++ 32 files changed, 220 insertions(+), 29 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index 38ddc7ca23..1943eb1879 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -222,6 +222,7 @@ options {\n\ ixfr-from-differences false;\n\ max-journal-size default;\n\ max-records 0;\n\ + max-records-per-type 100;\n\ max-refresh-time 2419200; /* 4 weeks */\n\ max-retry-time 1209600; /* 2 weeks */\n\ max-transfer-idle-in 60;\n\ diff --git a/bin/named/server.c b/bin/named/server.c index a17375dbaa..6bcd0b5d56 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -5454,6 +5454,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, dns_resolver_setclientsperquery(view->resolver, cfg_obj_asuint32(obj), max_clients_per_query); + /* + * This is used for the cache and also as a default value + * for zone databases. + */ + obj = NULL; + result = named_config_get(maps, "max-records-per-type", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_view_setmaxrrperset(view, cfg_obj_asuint32(obj)); + obj = NULL; result = named_config_get(maps, "max-recursion-depth", &obj); INSIST(result == ISC_R_SUCCESS); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index c45051b42a..f6646e3819 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1074,6 +1074,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setmaxrecords(zone, 0); } + obj = NULL; + result = named_config_get(maps, "max-records-per-type", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); + dns_zone_setmaxrrperset(mayberaw, cfg_obj_asuint32(obj)); + if (zone != mayberaw) { + dns_zone_setmaxrrperset(zone, 0); + } + if (raw != NULL && filename != NULL) { #define SIGNED ".signed" size_t signedlen = strlen(filename) + sizeof(SIGNED); diff --git a/bin/tests/system/doth/ns2/named.conf.in b/bin/tests/system/doth/ns2/named.conf.in index 96200d0fd3..a7b09611d1 100644 --- a/bin/tests/system/doth/ns2/named.conf.in +++ b/bin/tests/system/doth/ns2/named.conf.in @@ -52,6 +52,7 @@ options { ixfr-from-differences yes; check-integrity no; dnssec-validation yes; + max-records-per-type 0; transfers-in 100; transfers-out 100; }; diff --git a/bin/tests/system/doth/ns3/named.conf.in b/bin/tests/system/doth/ns3/named.conf.in index 69de2ca146..daf3164643 100644 --- a/bin/tests/system/doth/ns3/named.conf.in +++ b/bin/tests/system/doth/ns3/named.conf.in @@ -44,6 +44,7 @@ options { ixfr-from-differences yes; check-integrity no; dnssec-validation yes; + max-records-per-type 0; }; trust-anchors { }; diff --git a/bin/tests/system/doth/ns4/named.conf.in b/bin/tests/system/doth/ns4/named.conf.in index 60072ce9c2..d637a9c9ed 100644 --- a/bin/tests/system/doth/ns4/named.conf.in +++ b/bin/tests/system/doth/ns4/named.conf.in @@ -52,6 +52,7 @@ options { ixfr-from-differences yes; check-integrity no; dnssec-validation yes; + max-records-per-type 0; }; trust-anchors { }; diff --git a/bin/tests/system/doth/ns5/named.conf.in b/bin/tests/system/doth/ns5/named.conf.in index e161a3e4cf..7aa3757cdb 100644 --- a/bin/tests/system/doth/ns5/named.conf.in +++ b/bin/tests/system/doth/ns5/named.conf.in @@ -40,6 +40,7 @@ options { ixfr-from-differences yes; check-integrity no; dnssec-validation yes; + max-records-per-type 0; }; trust-anchors { }; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 4c0cc55e58..0decf3a6e0 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3681,6 +3681,21 @@ system. This sets the maximum number of records permitted in a zone. The default is zero, which means the maximum is unlimited. +.. namedconf:statement:: max-records-per-type + :tags: server + :short: Sets the maximum number of records that can be stored in an RRset + + This sets the maximum number of resource records that can be stored + in an RRset in a database. When configured in :namedconf:ref:`options` + or :namedconf:ref:`view`, it controls the cache database; it also sets + the default value for zone databases, which can be overridden by setting + it at the :namedconf:ref:`zone` level. + + If set to a positive value, any attempt to cache or to add to a zone + an RRset with more than the specified number of records will result in + a failure. If set to 0, there is no cap on RRset size. The default is + 100. + .. namedconf:statement:: recursive-clients :tags: query :short: Specifies the maximum number of concurrent recursive queries the server can perform. diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt index cc9dbaa446..4238e689f5 100644 --- a/doc/misc/mirror.zoneopt +++ b/doc/misc/mirror.zoneopt @@ -16,6 +16,7 @@ zone [ ] { max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; + max-records-per-type ; max-refresh-time ; max-retry-time ; max-transfer-idle-in ; diff --git a/doc/misc/options b/doc/misc/options index 7c94dcd180..261d46d093 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -183,6 +183,7 @@ options { max-journal-size ( default | unlimited | ); max-ncache-ttl ; max-records ; + max-records-per-type ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; @@ -468,6 +469,7 @@ view [ ] { max-journal-size ( default | unlimited | ); max-ncache-ttl ; max-records ; + max-records-per-type ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt index e3c6ef69d5..6586686300 100644 --- a/doc/misc/primary.zoneopt +++ b/doc/misc/primary.zoneopt @@ -37,6 +37,7 @@ zone [ ] { max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; + max-records-per-type ; max-transfer-idle-out ; max-transfer-time-out ; max-zone-ttl ( unlimited | ); // deprecated diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt index c0bee863fb..b389f6eede 100644 --- a/doc/misc/redirect.zoneopt +++ b/doc/misc/redirect.zoneopt @@ -7,6 +7,7 @@ zone [ ] { masterfile-format ( raw | text ); masterfile-style ( full | relative ); max-records ; + max-records-per-type ; max-zone-ttl ( unlimited | ); // deprecated primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; zone-statistics ( full | terse | none | ); diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt index 26eca8e20a..4ded7c8e19 100644 --- a/doc/misc/secondary.zoneopt +++ b/doc/misc/secondary.zoneopt @@ -28,6 +28,7 @@ zone [ ] { max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-records ; + max-records-per-type ; max-refresh-time ; max-retry-time ; max-transfer-idle-in ; diff --git a/doc/misc/static-stub.zoneopt b/doc/misc/static-stub.zoneopt index 85c158fbcb..5f68d83c52 100644 --- a/doc/misc/static-stub.zoneopt +++ b/doc/misc/static-stub.zoneopt @@ -5,6 +5,7 @@ zone [ ] { forward ( first | only ); forwarders [ port ] [ tls ] { ( | ) [ port ] [ tls ]; ... }; max-records ; + max-records-per-type ; server-addresses { ( | ); ... }; server-names { ; ... }; zone-statistics ( full | terse | none | ); diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt index 6d7c98cb45..8d0537b136 100644 --- a/doc/misc/stub.zoneopt +++ b/doc/misc/stub.zoneopt @@ -11,6 +11,7 @@ zone [ ] { masterfile-format ( raw | text ); masterfile-style ( full | relative ); max-records ; + max-records-per-type ; max-refresh-time ; max-retry-time ; max-transfer-idle-in ; diff --git a/lib/dns/cache.c b/lib/dns/cache.c index 43821dca17..52d92037d3 100644 --- a/lib/dns/cache.c +++ b/lib/dns/cache.c @@ -80,6 +80,7 @@ struct dns_cache { dns_ttl_t serve_stale_ttl; dns_ttl_t serve_stale_refresh; isc_stats_t *stats; + uint32_t maxrrperset; }; /*** @@ -128,6 +129,7 @@ cache_create_db(dns_cache_t *cache, dns_db_t **dbp, isc_mem_t **tmctxp, dns_db_setservestalettl(db, cache->serve_stale_ttl); dns_db_setservestalerefresh(db, cache->serve_stale_refresh); + dns_db_setmaxrrperset(db, cache->maxrrperset); /* * XXX this is only used by the RBT cache, and can @@ -546,6 +548,16 @@ dns_cache_updatestats(dns_cache_t *cache, isc_result_t result) { } } +void +dns_cache_setmaxrrperset(dns_cache_t *cache, uint32_t value) { + REQUIRE(VALID_CACHE(cache)); + + cache->maxrrperset = value; + if (cache->db != NULL) { + dns_db_setmaxrrperset(cache->db, value); + } +} + /* * XXX: Much of the following code has been copied in from statschannel.c. * We should refactor this into a generic function in stats.c that can be diff --git a/lib/dns/db.c b/lib/dns/db.c index ad082bbe2b..3f3ca0ede1 100644 --- a/lib/dns/db.c +++ b/lib/dns/db.c @@ -1170,3 +1170,12 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) { } return (ISC_R_NOTIMPLEMENTED); } + +void +dns_db_setmaxrrperset(dns_db_t *db, uint32_t value) { + REQUIRE(DNS_DB_VALID(db)); + + if (db->methods->setmaxrrperset != NULL) { + (db->methods->setmaxrrperset)(db, value); + } +} diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h index 72cf80c3f4..738ab4cfe0 100644 --- a/lib/dns/include/dns/cache.h +++ b/lib/dns/include/dns/cache.h @@ -246,6 +246,12 @@ dns_cache_updatestats(dns_cache_t *cache, isc_result_t result); * Update cache statistics based on result code in 'result' */ +void +dns_cache_setmaxrrperset(dns_cache_t *cache, uint32_t value); +/*%< + * Set the maximum resource records per RRSet that can be cached. + */ + #ifdef HAVE_LIBXML2 int dns_cache_renderxml(dns_cache_t *cache, void *writer0); diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h index fe968f3abe..96f9d58a12 100644 --- a/lib/dns/include/dns/db.h +++ b/lib/dns/include/dns/db.h @@ -183,6 +183,7 @@ typedef struct dns_dbmethods { void (*deletedata)(dns_db_t *db, dns_dbnode_t *node, void *data); isc_result_t (*nodefullname)(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name); + void (*setmaxrrperset)(dns_db_t *db, uint32_t value); } dns_dbmethods_t; typedef isc_result_t (*dns_dbcreatefunc_t)(isc_mem_t *mctx, @@ -1800,4 +1801,12 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name); * \li 'db' is a valid database * \li 'node' and 'name' are not NULL */ + +void +dns_db_setmaxrrperset(dns_db_t *db, uint32_t value); +/*%< + * Set the maximum permissible number of RRs per RRset. If 'value' + * is nonzero, then any subsequent attempt to add an rdataset with + * more than 'value' RRs will return ISC_R_TOOMANYRECORDS. + */ ISC_LANG_ENDDECLS diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h index ab57716ef5..4227854669 100644 --- a/lib/dns/include/dns/rdataslab.h +++ b/lib/dns/include/dns/rdataslab.h @@ -169,7 +169,8 @@ extern dns_rdatasetmethods_t dns_rdataslab_rdatasetmethods; isc_result_t dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, - isc_region_t *region, unsigned int reservelen); + isc_region_t *region, unsigned int reservelen, + uint32_t limit); /*%< * Slabify a rdataset. The slab area will be allocated and returned * in 'region'. @@ -225,7 +226,8 @@ isc_result_t dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab, unsigned int reservelen, isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_rdatatype_t type, - unsigned int flags, unsigned char **tslabp); + unsigned int flags, uint32_t maxrrperset, + unsigned char **tslabp); /*%< * Merge 'oslab' and 'nslab'. */ diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index b582828266..e97835f8c6 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -183,6 +183,7 @@ struct dns_view { uint32_t fail_ttl; dns_badcache_t *failcache; unsigned int udpsize; + uint32_t maxrrperset; /* * Configurable data for server use only, @@ -1242,6 +1243,12 @@ dns_view_getresolver(dns_view_t *view, dns_resolver_t **resolverp); * Return the resolver associated with the view. */ +void +dns_view_setmaxrrperset(dns_view_t *view, uint32_t value); +/*%< + * Set the maximum resource records per RRSet that can be cached. + */ + void dns_view_setudpsize(dns_view_t *view, uint16_t udpsize); /*%< diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 2519f97911..bdcff3061c 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -366,6 +366,19 @@ dns_zone_getmaxrecords(dns_zone_t *zone); *\li uint32_t maxrecords. */ +void +dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t maxrrperset); +/*%< + * Sets the maximum number of records per rrset permitted in a zone. + * 0 implies unlimited. + * + * Requires: + *\li 'zone' to be valid initialised zone. + * + * Returns: + *\li void + */ + void dns_zone_setmaxttl(dns_zone_t *zone, uint32_t maxttl); /*%< diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c index c4ef39f9d8..329decbb6f 100644 --- a/lib/dns/qpcache.c +++ b/lib/dns/qpcache.c @@ -217,6 +217,8 @@ struct qpcache { /* Locked by lock. */ unsigned int active; + uint32_t maxrrperset; /* Maximum RRs per RRset */ + /* * The time after a failed lookup, where stale answers from cache * may be used directly in a DNS response without attempting a @@ -3280,7 +3282,7 @@ find_header: } static isc_result_t -addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, +addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset, dns_rdataset_t *rdataset) { isc_result_t result; dns_slabheader_proof_t *noqname = NULL; @@ -3291,12 +3293,12 @@ addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); - result = dns_rdataslab_fromrdataset(&neg, mctx, &r1, 0); + result = dns_rdataslab_fromrdataset(&neg, mctx, &r1, 0, maxrrperset); if (result != ISC_R_SUCCESS) { goto cleanup; } - result = dns_rdataslab_fromrdataset(&negsig, mctx, &r2, 0); + result = dns_rdataslab_fromrdataset(&negsig, mctx, &r2, 0, maxrrperset); if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -3319,7 +3321,7 @@ cleanup: } static isc_result_t -addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, +addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset, dns_rdataset_t *rdataset) { isc_result_t result; dns_slabheader_proof_t *closest = NULL; @@ -3330,12 +3332,12 @@ addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); - result = dns_rdataslab_fromrdataset(&neg, mctx, &r1, 0); + result = dns_rdataslab_fromrdataset(&neg, mctx, &r1, 0, maxrrperset); if (result != ISC_R_SUCCESS) { goto cleanup; } - result = dns_rdataslab_fromrdataset(&negsig, mctx, &r2, 0); + result = dns_rdataslab_fromrdataset(&negsig, mctx, &r2, 0, maxrrperset); if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -3386,7 +3388,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, } result = dns_rdataslab_fromrdataset(rdataset, qpdb->common.mctx, - ®ion, sizeof(dns_slabheader_t)); + ®ion, sizeof(dns_slabheader_t), + qpdb->maxrrperset); if (result != ISC_R_SUCCESS) { return (result); } @@ -3423,14 +3426,16 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, DNS_SLABHEADER_SETATTR(newheader, DNS_SLABHEADERATTR_OPTOUT); } if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) { - result = addnoqname(qpdb->common.mctx, newheader, rdataset); + result = addnoqname(qpdb->common.mctx, newheader, + qpdb->maxrrperset, rdataset); if (result != ISC_R_SUCCESS) { dns_slabheader_destroy(&newheader); return (result); } } if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0) { - result = addclosest(qpdb->common.mctx, newheader, rdataset); + result = addclosest(qpdb->common.mctx, newheader, + qpdb->maxrrperset, rdataset); if (result != ISC_R_SUCCESS) { dns_slabheader_destroy(&newheader); return (result); @@ -4330,6 +4335,15 @@ expire_ttl_headers(qpcache_t *qpdb, unsigned int locknum, } } +static void +setmaxrrperset(dns_db_t *db, uint32_t value) { + qpcache_t *qpdb = (qpcache_t *)db; + + REQUIRE(VALID_QPDB(qpdb)); + + qpdb->maxrrperset = value; +} + static dns_dbmethods_t qpdb_cachemethods = { .destroy = qpdb_destroy, .findnode = findnode, @@ -4354,6 +4368,7 @@ static dns_dbmethods_t qpdb_cachemethods = { .unlocknode = unlocknode, .expiredata = expiredata, .deletedata = deletedata, + .setmaxrrperset = setmaxrrperset, }; static void diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c index b2b5674949..da692d2538 100644 --- a/lib/dns/qpzone.c +++ b/lib/dns/qpzone.c @@ -178,6 +178,7 @@ struct qpzonedb { uint32_t current_serial; uint32_t least_serial; uint32_t next_serial; + uint32_t maxrrperset; qpz_version_t *current_version; qpz_version_t *future_version; qpz_versionlist_t open_versions; @@ -1898,7 +1899,7 @@ add(qpzonedb_t *qpdb, qpznode_t *node, const dns_name_t *nodename, (unsigned int)(sizeof(*newheader)), qpdb->common.mctx, qpdb->common.rdclass, (dns_rdatatype_t)header->type, flags, - &merged); + qpdb->maxrrperset, &merged); } if (result == ISC_R_SUCCESS) { /* @@ -2147,7 +2148,8 @@ loading_addrdataset(void *arg, const dns_name_t *name, loading_addnode(loadctx, name, rdataset->type, rdataset->covers, &node); result = dns_rdataslab_fromrdataset(rdataset, qpdb->common.mctx, - ®ion, sizeof(dns_slabheader_t)); + ®ion, sizeof(dns_slabheader_t), + qpdb->maxrrperset); if (result != ISC_R_SUCCESS) { return (result); } @@ -4648,7 +4650,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *dbnode, dns_dbversion_t *dbversion, rdataset->covers != dns_rdatatype_nsec3))); result = dns_rdataslab_fromrdataset(rdataset, qpdb->common.mctx, - ®ion, sizeof(dns_slabheader_t)); + ®ion, sizeof(dns_slabheader_t), + qpdb->maxrrperset); if (result != ISC_R_SUCCESS) { return (result); } @@ -4767,7 +4770,8 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *dbnode, dns_dbversion_t *dbversion, dns_name_copy(&node->name, nodename); result = dns_rdataslab_fromrdataset(rdataset, qpdb->common.mctx, - ®ion, sizeof(dns_slabheader_t)); + ®ion, sizeof(dns_slabheader_t), + 0); if (result != ISC_R_SUCCESS) { return (result); } @@ -5277,6 +5281,15 @@ addglue(dns_db_t *db, dns_dbversion_t *dbversion, dns_rdataset_t *rdataset, return (ISC_R_SUCCESS); } +static void +setmaxrrperset(dns_db_t *db, uint32_t value) { + qpzonedb_t *qpdb = (qpzonedb_t *)db; + + REQUIRE(VALID_QPZONE(qpdb)); + + qpdb->maxrrperset = value; +} + static dns_dbmethods_t qpdb_zonemethods = { .destroy = qpdb_destroy, .beginload = beginload, @@ -5310,6 +5323,7 @@ static dns_dbmethods_t qpdb_zonemethods = { .addglue = addglue, .deletedata = deletedata, .nodefullname = nodefullname, + .setmaxrrperset = setmaxrrperset, }; static void diff --git a/lib/dns/rbt-cachedb.c b/lib/dns/rbt-cachedb.c index f884174673..779eb143d6 100644 --- a/lib/dns/rbt-cachedb.c +++ b/lib/dns/rbt-cachedb.c @@ -1582,6 +1582,7 @@ dns_dbmethods_t dns__rbtdb_cachemethods = { .unlocknode = dns__rbtdb_unlocknode, .expiredata = expiredata, .deletedata = dns__rbtdb_deletedata, + .setmaxrrperset = dns__rbtdb_setmaxrrperset, }; /* diff --git a/lib/dns/rbt-zonedb.c b/lib/dns/rbt-zonedb.c index 43599fa381..93b71b9a98 100644 --- a/lib/dns/rbt-zonedb.c +++ b/lib/dns/rbt-zonedb.c @@ -1749,7 +1749,8 @@ loading_addrdataset(void *arg, const dns_name_t *name, } result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx, - ®ion, sizeof(dns_slabheader_t)); + ®ion, sizeof(dns_slabheader_t), + rbtdb->maxrrperset); if (result != ISC_R_SUCCESS) { return (result); } @@ -2418,6 +2419,7 @@ dns_dbmethods_t dns__rbtdb_zonemethods = { .addglue = addglue, .deletedata = dns__rbtdb_deletedata, .nodefullname = dns__rbtdb_nodefullname, + .setmaxrrperset = dns__rbtdb_setmaxrrperset, }; void diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 0dee744b7a..71ac5c1951 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -2780,7 +2780,7 @@ find_header: rbtdb->common.mctx, rbtdb->common.rdclass, (dns_rdatatype_t)header->type, flags, - &merged); + rbtdb->maxrrperset, &merged); } if (result == ISC_R_SUCCESS) { /* @@ -3141,7 +3141,7 @@ delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, dns_typepair_t type) { } static isc_result_t -addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, +addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset, dns_rdataset_t *rdataset) { isc_result_t result; dns_slabheader_proof_t *noqname = NULL; @@ -3152,12 +3152,12 @@ addnoqname(isc_mem_t *mctx, dns_slabheader_t *newheader, result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); - result = dns_rdataslab_fromrdataset(&neg, mctx, &r1, 0); + result = dns_rdataslab_fromrdataset(&neg, mctx, &r1, 0, maxrrperset); if (result != ISC_R_SUCCESS) { goto cleanup; } - result = dns_rdataslab_fromrdataset(&negsig, mctx, &r2, 0); + result = dns_rdataslab_fromrdataset(&negsig, mctx, &r2, 0, maxrrperset); if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -3180,7 +3180,7 @@ cleanup: } static isc_result_t -addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, +addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, uint32_t maxrrperset, dns_rdataset_t *rdataset) { isc_result_t result; dns_slabheader_proof_t *closest = NULL; @@ -3191,12 +3191,12 @@ addclosest(isc_mem_t *mctx, dns_slabheader_t *newheader, result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig); RUNTIME_CHECK(result == ISC_R_SUCCESS); - result = dns_rdataslab_fromrdataset(&neg, mctx, &r1, 0); + result = dns_rdataslab_fromrdataset(&neg, mctx, &r1, 0, maxrrperset); if (result != ISC_R_SUCCESS) { goto cleanup; } - result = dns_rdataslab_fromrdataset(&negsig, mctx, &r2, 0); + result = dns_rdataslab_fromrdataset(&negsig, mctx, &r2, 0, maxrrperset); if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -3272,7 +3272,8 @@ dns__rbtdb_addrdataset(dns_db_t *db, dns_dbnode_t *node, } result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx, - ®ion, sizeof(dns_slabheader_t)); + ®ion, sizeof(dns_slabheader_t), + rbtdb->maxrrperset); if (result != ISC_R_SUCCESS) { return (result); } @@ -3329,7 +3330,7 @@ dns__rbtdb_addrdataset(dns_db_t *db, dns_dbnode_t *node, } if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) { result = addnoqname(rbtdb->common.mctx, newheader, - rdataset); + rbtdb->maxrrperset, rdataset); if (result != ISC_R_SUCCESS) { dns_slabheader_destroy(&newheader); return (result); @@ -3337,7 +3338,7 @@ dns__rbtdb_addrdataset(dns_db_t *db, dns_dbnode_t *node, } if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0) { result = addclosest(rbtdb->common.mctx, newheader, - rdataset); + rbtdb->maxrrperset, rdataset); if (result != ISC_R_SUCCESS) { dns_slabheader_destroy(&newheader); return (result); @@ -3487,7 +3488,8 @@ dns__rbtdb_subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns__rbtdb_nodefullname(db, node, nodename); result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx, - ®ion, sizeof(dns_slabheader_t)); + ®ion, sizeof(dns_slabheader_t), + 0); if (result != ISC_R_SUCCESS) { return (result); } @@ -4957,3 +4959,12 @@ expire_ttl_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, dns_expire_ttl DNS__DB_FLARG_PASS); } } + +void +dns__rbtdb_setmaxrrperset(dns_db_t *db, uint32_t value) { + dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; + + REQUIRE(VALID_RBTDB(rbtdb)); + + rbtdb->maxrrperset = value; +} diff --git a/lib/dns/rbtdb_p.h b/lib/dns/rbtdb_p.h index 46da32691a..fe06b30b13 100644 --- a/lib/dns/rbtdb_p.h +++ b/lib/dns/rbtdb_p.h @@ -114,6 +114,7 @@ struct dns_rbtdb { uint32_t current_serial; uint32_t least_serial; uint32_t next_serial; + uint32_t maxrrperset; dns_rbtdb_version_t *current_version; dns_rbtdb_version_t *future_version; rbtdb_versionlist_t open_versions; @@ -427,6 +428,12 @@ dns__rbtdb_setttl(dns_slabheader_t *header, dns_ttl_t newttl); * also update the TTL heap accordingly. */ +void +dns__rbtdb_setmaxrrperset(dns_db_t *db, uint32_t value); +/*%< + * Set the max RRs per RRset limit. + */ + /* * Functions specific to zone databases that are also called from rbtdb.c. */ diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c index 6063c1be9c..abbb902317 100644 --- a/lib/dns/rdataslab.c +++ b/lib/dns/rdataslab.c @@ -168,7 +168,8 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable, isc_result_t dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, - isc_region_t *region, unsigned int reservelen) { + isc_region_t *region, unsigned int reservelen, + uint32_t maxrrperset) { /* * Use &removed as a sentinel pointer for duplicate * rdata as rdata.data == NULL is valid. @@ -208,6 +209,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, return (ISC_R_SUCCESS); } + if (maxrrperset > 0 && nitems > maxrrperset) { + return (DNS_R_TOOMANYRECORDS); + } + if (nitems > 0xffff) { return (ISC_R_NOSPACE); } @@ -515,7 +520,8 @@ isc_result_t dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab, unsigned int reservelen, isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_rdatatype_t type, - unsigned int flags, unsigned char **tslabp) { + unsigned int flags, uint32_t maxrrperset, + unsigned char **tslabp) { unsigned char *ocurrent = NULL, *ostart = NULL, *ncurrent = NULL; unsigned char *tstart = NULL, *tcurrent = NULL, *data = NULL; unsigned int ocount, ncount, count, olength, tlength, tcount, length; @@ -554,6 +560,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab, #endif /* if DNS_RDATASET_FIXED */ INSIST(ocount > 0 && ncount > 0); + if (maxrrperset > 0 && ocount + ncount > maxrrperset) { + return (DNS_R_TOOMANYRECORDS); + } + #if DNS_RDATASET_FIXED oncount = ncount; #endif /* if DNS_RDATASET_FIXED */ diff --git a/lib/dns/view.c b/lib/dns/view.c index d338c80afa..15e2e303db 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -643,6 +643,8 @@ dns_view_setcache(dns_view_t *view, dns_cache_t *cache, bool shared) { dns_cache_attach(cache, &view->cache); dns_cache_attachdb(cache, &view->cachedb); INSIST(DNS_DB_VALID(view->cachedb)); + + dns_cache_setmaxrrperset(view->cache, view->maxrrperset); } bool @@ -2336,6 +2338,15 @@ dns_view_getresolver(dns_view_t *view, dns_resolver_t **resolverp) { return (result); } +void +dns_view_setmaxrrperset(dns_view_t *view, uint32_t value) { + REQUIRE(DNS_VIEW_VALID(view)); + view->maxrrperset = value; + if (view->cache != NULL) { + dns_cache_setmaxrrperset(view->cache, value); + } +} + void dns_view_setudpsize(dns_view_t *view, uint16_t udpsize) { REQUIRE(DNS_VIEW_VALID(view)); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3c2b2011dc..6c27dfe3ec 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -318,6 +318,7 @@ struct dns_zone { uint32_t minretry; uint32_t maxrecords; + uint32_t maxrrperset; dns_remote_t primaries; @@ -12057,6 +12058,16 @@ dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t val) { zone->maxrecords = val; } +void +dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t val) { + REQUIRE(DNS_ZONE_VALID(zone)); + + zone->maxrrperset = val; + if (zone->db != NULL) { + dns_db_setmaxrrperset(zone->db, val); + } +} + static bool notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name, isc_sockaddr_t *addr, dns_tsigkey_t *key, @@ -14458,6 +14469,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { goto cleanup; } dns_db_setloop(stub->db, zone->loop); + dns_db_setmaxrrperset(stub->db, zone->maxrrperset); } result = dns_db_newversion(stub->db, &stub->version); @@ -17514,6 +17526,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) { } zone_attachdb(zone, db); dns_db_setloop(zone->db, zone->loop); + dns_db_setmaxrrperset(zone->db, zone->maxrrperset); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY); return (ISC_R_SUCCESS); @@ -24153,6 +24166,7 @@ dns_zone_makedb(dns_zone_t *zone, dns_db_t **dbp) { } dns_db_setloop(db, zone->loop); + dns_db_setmaxrrperset(db, zone->maxrrperset); *dbp = db; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 70bf565f19..528a52de05 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2372,6 +2372,9 @@ static cfg_clausedef_t zone_clauses[] = { { "max-records", &cfg_type_uint32, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT }, + { "max-records-per-type", &cfg_type_uint32, + CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | + CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT }, { "max-refresh-time", &cfg_type_uint32, CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "max-retry-time", &cfg_type_uint32, From 5d4e57b91453d05b484c6e70241bb7f3cb7ecdaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 23 May 2024 19:12:40 +0200 Subject: [PATCH 02/19] Add test for not-loading and not-transfering huge RRSets Add two new masterformat tests - the 'huge' zone fits within the ns1 limit and loads on the primary ns1 server, but must not transfer to the ns2 secondary, and the 'uber' zone should not even load on the primary ns1 server. --- bin/tests/system/doth/ns1/named.conf.in | 1 + bin/tests/system/limits/ns1/named.conf.in | 1 + bin/tests/system/masterformat/ns1/compile.sh | 2 + bin/tests/system/masterformat/ns1/huge.db.in | 22 +++++++ .../system/masterformat/ns1/named.conf.in | 15 +++++ bin/tests/system/masterformat/ns1/uber.db.in | 22 +++++++ .../system/masterformat/ns2/named.conf.in | 8 +++ bin/tests/system/masterformat/setup.sh | 19 +++++- bin/tests/system/masterformat/tests.sh | 60 ++++++++++++++++++- 9 files changed, 146 insertions(+), 4 deletions(-) create mode 100644 bin/tests/system/masterformat/ns1/huge.db.in create mode 100644 bin/tests/system/masterformat/ns1/uber.db.in diff --git a/bin/tests/system/doth/ns1/named.conf.in b/bin/tests/system/doth/ns1/named.conf.in index 62a6858011..df9a25daa7 100644 --- a/bin/tests/system/doth/ns1/named.conf.in +++ b/bin/tests/system/doth/ns1/named.conf.in @@ -98,6 +98,7 @@ options { tcp-initial-timeout 1200; transfers-in 100; transfers-out 100; + max-records-per-type 0; }; trust-anchors { }; diff --git a/bin/tests/system/limits/ns1/named.conf.in b/bin/tests/system/limits/ns1/named.conf.in index 780f9e21cb..2332acf1f1 100644 --- a/bin/tests/system/limits/ns1/named.conf.in +++ b/bin/tests/system/limits/ns1/named.conf.in @@ -23,6 +23,7 @@ options { notify yes; minimal-responses no; dnssec-validation no; + max-records-per-type 0; }; zone "." { diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index 9ea1740ae2..7b2ff56b2f 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -27,6 +27,8 @@ $CHECKZONE -D -F raw=0 -o example.db.compat example-compat \ $CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \ example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o large.db.raw large large.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o huge.db.raw huge huge.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o uber.db.raw uber uber.db >/dev/null 2>&1 $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed >/dev/null 2>&1 $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed >/dev/null 2>&1 diff --git a/bin/tests/system/masterformat/ns1/huge.db.in b/bin/tests/system/masterformat/ns1/huge.db.in new file mode 100644 index 0000000000..5a818632a8 --- /dev/null +++ b/bin/tests/system/masterformat/ns1/huge.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 diff --git a/bin/tests/system/masterformat/ns1/named.conf.in b/bin/tests/system/masterformat/ns1/named.conf.in index ca556f9747..c0897f2d82 100644 --- a/bin/tests/system/masterformat/ns1/named.conf.in +++ b/bin/tests/system/masterformat/ns1/named.conf.in @@ -23,6 +23,7 @@ options { session-keyfile "session.key"; servfail-ttl 0; dnssec-validation no; + max-records-per-type 2050; }; key rndc_key { @@ -85,6 +86,20 @@ zone "large" { allow-transfer { any; }; }; +zone "huge" { + type primary; + file "huge.db.raw"; + masterfile-format raw; + allow-transfer { any; }; +}; + +zone "uber" { + type primary; + file "uber.db.raw"; + masterfile-format raw; + allow-transfer { any; }; +}; + zone "signed" { type primary; file "signed.db.raw"; diff --git a/bin/tests/system/masterformat/ns1/uber.db.in b/bin/tests/system/masterformat/ns1/uber.db.in new file mode 100644 index 0000000000..5a818632a8 --- /dev/null +++ b/bin/tests/system/masterformat/ns1/uber.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 diff --git a/bin/tests/system/masterformat/ns2/named.conf.in b/bin/tests/system/masterformat/ns2/named.conf.in index db68aef4d0..1b28b0cb0e 100644 --- a/bin/tests/system/masterformat/ns2/named.conf.in +++ b/bin/tests/system/masterformat/ns2/named.conf.in @@ -22,6 +22,7 @@ options { notify no; servfail-ttl 0; dnssec-validation no; + max-records-per-type 2000; }; zone "example" { @@ -62,3 +63,10 @@ zone "large" { masterfile-format raw; file "large.bk"; }; + +zone "huge" { + type secondary; + primaries { 10.53.0.1; }; + masterfile-format raw; + file "huge.bk"; +}; diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index c2bc0f646c..cc90f5a692 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -24,8 +24,23 @@ cp ns1/example.db ns2/ cp ns2/formerly-text.db.in ns2/formerly-text.db cp ns1/large.db.in ns1/large.db awk 'END { - for (i = 0; i < 512; i++ ) { print "a TXT", i; } - for (i = 0; i < 1024; i++ ) { print "b TXT", i; } + for (i = 0; i < 500; i++ ) { print "a TXT", i; } + for (i = 0; i < 1000; i++ ) { print "b TXT", i; } for (i = 0; i < 2000; i++ ) { print "c TXT", i; } }' >ns1/large.db +cp ns1/huge.db.in ns1/huge.db +awk 'END { + for (i = 0; i < 500; i++ ) { print "a TXT", i; } + for (i = 0; i < 1000; i++ ) { print "b TXT", i; } + for (i = 0; i < 2000; i++ ) { print "c TXT", i; } + for (i = 0; i < 2050; i++ ) { print "d TXT", i; } +}' >ns1/huge.db +cp ns1/uber.db.in ns1/uber.db +awk 'END { + for (i = 0; i < 500; i++ ) { print "a TXT", i; } + for (i = 0; i < 1000; i++ ) { print "b TXT", i; } + for (i = 0; i < 2000; i++ ) { print "c TXT", i; } + for (i = 0; i < 2050; i++ ) { print "d TXT", i; } + for (i = 0; i < 2100; i++ ) { print "e TXT", i; } +}' >ns1/uber.db cd ns1 && $SHELL compile.sh diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index feb2a7502f..27d37a3ff3 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -177,8 +177,64 @@ echo_i "checking that large rdatasets loaded ($n)" for i in 0 1 2 3 4 5 6 7 8 9; do ret=0 for a in a b c; do - $DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.test$n" - grep "status: NOERROR" "dig.out.ns2.test$n" >/dev/null || ret=1 + $DIG +tcp txt "${a}.large" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$a.test$n" + grep "status: NOERROR" "dig.out.ns1.$a.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that large rdatasets transfered ($n)" +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for a in a b c; do + $DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$a.test$n" + grep "status: NOERROR" "dig.out.ns2.$a.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that huge rdatasets loaded ($n)" +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for a in a b c d; do + $DIG +tcp txt "${a}.huge" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$a.test$n" + grep "status: NOERROR" "dig.out.ns1.$a.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that huge rdatasets not transfered ($n)" +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for a in a b c d; do + $DIG +tcp txt "${a}.huge" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$a.test$n" + grep "status: SERVFAIL" "dig.out.ns2.$a.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that uber rdatasets not loaded ($n)" +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for a in a b c d e; do + $DIG +tcp txt "${a}.uber" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$a.test$n" + grep "status: SERVFAIL" "dig.out.ns1.$a.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 From 3dc4388f4a1aef182c66cf8b9bc1892613146b8c Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 23 May 2024 19:07:34 -0700 Subject: [PATCH 03/19] Add a test for not caching large RRset Send a recursive query for a large (2500 record) RRset, which should fail when using the default max-records-per-type setting of 100, but succeed when the cap is disabled. --- bin/tests/system/reclimit/ns1/big.db | 2515 ++++++++++++++++++ bin/tests/system/reclimit/ns1/named.conf.in | 6 + bin/tests/system/reclimit/ns1/root.db | 3 + bin/tests/system/reclimit/ns3/named5.conf.in | 42 + bin/tests/system/reclimit/tests.sh | 12 +- 5 files changed, 2577 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/reclimit/ns1/big.db create mode 100644 bin/tests/system/reclimit/ns3/named5.conf.in diff --git a/bin/tests/system/reclimit/ns1/big.db b/bin/tests/system/reclimit/ns1/big.db new file mode 100644 index 0000000000..bddceb76e7 --- /dev/null +++ b/bin/tests/system/reclimit/ns1/big.db @@ -0,0 +1,2515 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +big. 60 IN SOA ns.big. hostmaster.ns.big. 1 0 0 0 0 +big. 60 IN NS ns.big. +ns.big. 60 IN A 10.53.0.1 + +biganswer.big. 60 IN A 10.10.1.1 +biganswer.big. 60 IN A 10.10.1.2 +biganswer.big. 60 IN A 10.10.1.3 +biganswer.big. 60 IN A 10.10.1.4 +biganswer.big. 60 IN A 10.10.1.5 +biganswer.big. 60 IN A 10.10.1.6 +biganswer.big. 60 IN A 10.10.1.7 +biganswer.big. 60 IN A 10.10.1.8 +biganswer.big. 60 IN A 10.10.1.9 +biganswer.big. 60 IN A 10.10.1.10 +biganswer.big. 60 IN A 10.10.1.11 +biganswer.big. 60 IN A 10.10.1.12 +biganswer.big. 60 IN A 10.10.1.13 +biganswer.big. 60 IN A 10.10.1.14 +biganswer.big. 60 IN A 10.10.1.15 +biganswer.big. 60 IN A 10.10.1.16 +biganswer.big. 60 IN A 10.10.1.17 +biganswer.big. 60 IN A 10.10.1.18 +biganswer.big. 60 IN A 10.10.1.19 +biganswer.big. 60 IN A 10.10.1.20 +biganswer.big. 60 IN A 10.10.1.21 +biganswer.big. 60 IN A 10.10.1.22 +biganswer.big. 60 IN A 10.10.1.23 +biganswer.big. 60 IN A 10.10.1.24 +biganswer.big. 60 IN A 10.10.1.25 +biganswer.big. 60 IN A 10.10.1.26 +biganswer.big. 60 IN A 10.10.1.27 +biganswer.big. 60 IN A 10.10.1.28 +biganswer.big. 60 IN A 10.10.1.29 +biganswer.big. 60 IN A 10.10.1.30 +biganswer.big. 60 IN A 10.10.1.31 +biganswer.big. 60 IN A 10.10.1.32 +biganswer.big. 60 IN A 10.10.1.33 +biganswer.big. 60 IN A 10.10.1.34 +biganswer.big. 60 IN A 10.10.1.35 +biganswer.big. 60 IN A 10.10.1.36 +biganswer.big. 60 IN A 10.10.1.37 +biganswer.big. 60 IN A 10.10.1.38 +biganswer.big. 60 IN A 10.10.1.39 +biganswer.big. 60 IN A 10.10.1.40 +biganswer.big. 60 IN A 10.10.1.41 +biganswer.big. 60 IN A 10.10.1.42 +biganswer.big. 60 IN A 10.10.1.43 +biganswer.big. 60 IN A 10.10.1.44 +biganswer.big. 60 IN A 10.10.1.45 +biganswer.big. 60 IN A 10.10.1.46 +biganswer.big. 60 IN A 10.10.1.47 +biganswer.big. 60 IN A 10.10.1.48 +biganswer.big. 60 IN A 10.10.1.49 +biganswer.big. 60 IN A 10.10.1.50 +biganswer.big. 60 IN A 10.10.2.1 +biganswer.big. 60 IN A 10.10.2.2 +biganswer.big. 60 IN A 10.10.2.3 +biganswer.big. 60 IN A 10.10.2.4 +biganswer.big. 60 IN A 10.10.2.5 +biganswer.big. 60 IN A 10.10.2.6 +biganswer.big. 60 IN A 10.10.2.7 +biganswer.big. 60 IN A 10.10.2.8 +biganswer.big. 60 IN A 10.10.2.9 +biganswer.big. 60 IN A 10.10.2.10 +biganswer.big. 60 IN A 10.10.2.11 +biganswer.big. 60 IN A 10.10.2.12 +biganswer.big. 60 IN A 10.10.2.13 +biganswer.big. 60 IN A 10.10.2.14 +biganswer.big. 60 IN A 10.10.2.15 +biganswer.big. 60 IN A 10.10.2.16 +biganswer.big. 60 IN A 10.10.2.17 +biganswer.big. 60 IN A 10.10.2.18 +biganswer.big. 60 IN A 10.10.2.19 +biganswer.big. 60 IN A 10.10.2.20 +biganswer.big. 60 IN A 10.10.2.21 +biganswer.big. 60 IN A 10.10.2.22 +biganswer.big. 60 IN A 10.10.2.23 +biganswer.big. 60 IN A 10.10.2.24 +biganswer.big. 60 IN A 10.10.2.25 +biganswer.big. 60 IN A 10.10.2.26 +biganswer.big. 60 IN A 10.10.2.27 +biganswer.big. 60 IN A 10.10.2.28 +biganswer.big. 60 IN A 10.10.2.29 +biganswer.big. 60 IN A 10.10.2.30 +biganswer.big. 60 IN A 10.10.2.31 +biganswer.big. 60 IN A 10.10.2.32 +biganswer.big. 60 IN A 10.10.2.33 +biganswer.big. 60 IN A 10.10.2.34 +biganswer.big. 60 IN A 10.10.2.35 +biganswer.big. 60 IN A 10.10.2.36 +biganswer.big. 60 IN A 10.10.2.37 +biganswer.big. 60 IN A 10.10.2.38 +biganswer.big. 60 IN A 10.10.2.39 +biganswer.big. 60 IN A 10.10.2.40 +biganswer.big. 60 IN A 10.10.2.41 +biganswer.big. 60 IN A 10.10.2.42 +biganswer.big. 60 IN A 10.10.2.43 +biganswer.big. 60 IN A 10.10.2.44 +biganswer.big. 60 IN A 10.10.2.45 +biganswer.big. 60 IN A 10.10.2.46 +biganswer.big. 60 IN A 10.10.2.47 +biganswer.big. 60 IN A 10.10.2.48 +biganswer.big. 60 IN A 10.10.2.49 +biganswer.big. 60 IN A 10.10.2.50 +biganswer.big. 60 IN A 10.10.3.1 +biganswer.big. 60 IN A 10.10.3.2 +biganswer.big. 60 IN A 10.10.3.3 +biganswer.big. 60 IN A 10.10.3.4 +biganswer.big. 60 IN A 10.10.3.5 +biganswer.big. 60 IN A 10.10.3.6 +biganswer.big. 60 IN A 10.10.3.7 +biganswer.big. 60 IN A 10.10.3.8 +biganswer.big. 60 IN A 10.10.3.9 +biganswer.big. 60 IN A 10.10.3.10 +biganswer.big. 60 IN A 10.10.3.11 +biganswer.big. 60 IN A 10.10.3.12 +biganswer.big. 60 IN A 10.10.3.13 +biganswer.big. 60 IN A 10.10.3.14 +biganswer.big. 60 IN A 10.10.3.15 +biganswer.big. 60 IN A 10.10.3.16 +biganswer.big. 60 IN A 10.10.3.17 +biganswer.big. 60 IN A 10.10.3.18 +biganswer.big. 60 IN A 10.10.3.19 +biganswer.big. 60 IN A 10.10.3.20 +biganswer.big. 60 IN A 10.10.3.21 +biganswer.big. 60 IN A 10.10.3.22 +biganswer.big. 60 IN A 10.10.3.23 +biganswer.big. 60 IN A 10.10.3.24 +biganswer.big. 60 IN A 10.10.3.25 +biganswer.big. 60 IN A 10.10.3.26 +biganswer.big. 60 IN A 10.10.3.27 +biganswer.big. 60 IN A 10.10.3.28 +biganswer.big. 60 IN A 10.10.3.29 +biganswer.big. 60 IN A 10.10.3.30 +biganswer.big. 60 IN A 10.10.3.31 +biganswer.big. 60 IN A 10.10.3.32 +biganswer.big. 60 IN A 10.10.3.33 +biganswer.big. 60 IN A 10.10.3.34 +biganswer.big. 60 IN A 10.10.3.35 +biganswer.big. 60 IN A 10.10.3.36 +biganswer.big. 60 IN A 10.10.3.37 +biganswer.big. 60 IN A 10.10.3.38 +biganswer.big. 60 IN A 10.10.3.39 +biganswer.big. 60 IN A 10.10.3.40 +biganswer.big. 60 IN A 10.10.3.41 +biganswer.big. 60 IN A 10.10.3.42 +biganswer.big. 60 IN A 10.10.3.43 +biganswer.big. 60 IN A 10.10.3.44 +biganswer.big. 60 IN A 10.10.3.45 +biganswer.big. 60 IN A 10.10.3.46 +biganswer.big. 60 IN A 10.10.3.47 +biganswer.big. 60 IN A 10.10.3.48 +biganswer.big. 60 IN A 10.10.3.49 +biganswer.big. 60 IN A 10.10.3.50 +biganswer.big. 60 IN A 10.10.4.1 +biganswer.big. 60 IN A 10.10.4.2 +biganswer.big. 60 IN A 10.10.4.3 +biganswer.big. 60 IN A 10.10.4.4 +biganswer.big. 60 IN A 10.10.4.5 +biganswer.big. 60 IN A 10.10.4.6 +biganswer.big. 60 IN A 10.10.4.7 +biganswer.big. 60 IN A 10.10.4.8 +biganswer.big. 60 IN A 10.10.4.9 +biganswer.big. 60 IN A 10.10.4.10 +biganswer.big. 60 IN A 10.10.4.11 +biganswer.big. 60 IN A 10.10.4.12 +biganswer.big. 60 IN A 10.10.4.13 +biganswer.big. 60 IN A 10.10.4.14 +biganswer.big. 60 IN A 10.10.4.15 +biganswer.big. 60 IN A 10.10.4.16 +biganswer.big. 60 IN A 10.10.4.17 +biganswer.big. 60 IN A 10.10.4.18 +biganswer.big. 60 IN A 10.10.4.19 +biganswer.big. 60 IN A 10.10.4.20 +biganswer.big. 60 IN A 10.10.4.21 +biganswer.big. 60 IN A 10.10.4.22 +biganswer.big. 60 IN A 10.10.4.23 +biganswer.big. 60 IN A 10.10.4.24 +biganswer.big. 60 IN A 10.10.4.25 +biganswer.big. 60 IN A 10.10.4.26 +biganswer.big. 60 IN A 10.10.4.27 +biganswer.big. 60 IN A 10.10.4.28 +biganswer.big. 60 IN A 10.10.4.29 +biganswer.big. 60 IN A 10.10.4.30 +biganswer.big. 60 IN A 10.10.4.31 +biganswer.big. 60 IN A 10.10.4.32 +biganswer.big. 60 IN A 10.10.4.33 +biganswer.big. 60 IN A 10.10.4.34 +biganswer.big. 60 IN A 10.10.4.35 +biganswer.big. 60 IN A 10.10.4.36 +biganswer.big. 60 IN A 10.10.4.37 +biganswer.big. 60 IN A 10.10.4.38 +biganswer.big. 60 IN A 10.10.4.39 +biganswer.big. 60 IN A 10.10.4.40 +biganswer.big. 60 IN A 10.10.4.41 +biganswer.big. 60 IN A 10.10.4.42 +biganswer.big. 60 IN A 10.10.4.43 +biganswer.big. 60 IN A 10.10.4.44 +biganswer.big. 60 IN A 10.10.4.45 +biganswer.big. 60 IN A 10.10.4.46 +biganswer.big. 60 IN A 10.10.4.47 +biganswer.big. 60 IN A 10.10.4.48 +biganswer.big. 60 IN A 10.10.4.49 +biganswer.big. 60 IN A 10.10.4.50 +biganswer.big. 60 IN A 10.10.5.1 +biganswer.big. 60 IN A 10.10.5.2 +biganswer.big. 60 IN A 10.10.5.3 +biganswer.big. 60 IN A 10.10.5.4 +biganswer.big. 60 IN A 10.10.5.5 +biganswer.big. 60 IN A 10.10.5.6 +biganswer.big. 60 IN A 10.10.5.7 +biganswer.big. 60 IN A 10.10.5.8 +biganswer.big. 60 IN A 10.10.5.9 +biganswer.big. 60 IN A 10.10.5.10 +biganswer.big. 60 IN A 10.10.5.11 +biganswer.big. 60 IN A 10.10.5.12 +biganswer.big. 60 IN A 10.10.5.13 +biganswer.big. 60 IN A 10.10.5.14 +biganswer.big. 60 IN A 10.10.5.15 +biganswer.big. 60 IN A 10.10.5.16 +biganswer.big. 60 IN A 10.10.5.17 +biganswer.big. 60 IN A 10.10.5.18 +biganswer.big. 60 IN A 10.10.5.19 +biganswer.big. 60 IN A 10.10.5.20 +biganswer.big. 60 IN A 10.10.5.21 +biganswer.big. 60 IN A 10.10.5.22 +biganswer.big. 60 IN A 10.10.5.23 +biganswer.big. 60 IN A 10.10.5.24 +biganswer.big. 60 IN A 10.10.5.25 +biganswer.big. 60 IN A 10.10.5.26 +biganswer.big. 60 IN A 10.10.5.27 +biganswer.big. 60 IN A 10.10.5.28 +biganswer.big. 60 IN A 10.10.5.29 +biganswer.big. 60 IN A 10.10.5.30 +biganswer.big. 60 IN A 10.10.5.31 +biganswer.big. 60 IN A 10.10.5.32 +biganswer.big. 60 IN A 10.10.5.33 +biganswer.big. 60 IN A 10.10.5.34 +biganswer.big. 60 IN A 10.10.5.35 +biganswer.big. 60 IN A 10.10.5.36 +biganswer.big. 60 IN A 10.10.5.37 +biganswer.big. 60 IN A 10.10.5.38 +biganswer.big. 60 IN A 10.10.5.39 +biganswer.big. 60 IN A 10.10.5.40 +biganswer.big. 60 IN A 10.10.5.41 +biganswer.big. 60 IN A 10.10.5.42 +biganswer.big. 60 IN A 10.10.5.43 +biganswer.big. 60 IN A 10.10.5.44 +biganswer.big. 60 IN A 10.10.5.45 +biganswer.big. 60 IN A 10.10.5.46 +biganswer.big. 60 IN A 10.10.5.47 +biganswer.big. 60 IN A 10.10.5.48 +biganswer.big. 60 IN A 10.10.5.49 +biganswer.big. 60 IN A 10.10.5.50 +biganswer.big. 60 IN A 10.10.6.1 +biganswer.big. 60 IN A 10.10.6.2 +biganswer.big. 60 IN A 10.10.6.3 +biganswer.big. 60 IN A 10.10.6.4 +biganswer.big. 60 IN A 10.10.6.5 +biganswer.big. 60 IN A 10.10.6.6 +biganswer.big. 60 IN A 10.10.6.7 +biganswer.big. 60 IN A 10.10.6.8 +biganswer.big. 60 IN A 10.10.6.9 +biganswer.big. 60 IN A 10.10.6.10 +biganswer.big. 60 IN A 10.10.6.11 +biganswer.big. 60 IN A 10.10.6.12 +biganswer.big. 60 IN A 10.10.6.13 +biganswer.big. 60 IN A 10.10.6.14 +biganswer.big. 60 IN A 10.10.6.15 +biganswer.big. 60 IN A 10.10.6.16 +biganswer.big. 60 IN A 10.10.6.17 +biganswer.big. 60 IN A 10.10.6.18 +biganswer.big. 60 IN A 10.10.6.19 +biganswer.big. 60 IN A 10.10.6.20 +biganswer.big. 60 IN A 10.10.6.21 +biganswer.big. 60 IN A 10.10.6.22 +biganswer.big. 60 IN A 10.10.6.23 +biganswer.big. 60 IN A 10.10.6.24 +biganswer.big. 60 IN A 10.10.6.25 +biganswer.big. 60 IN A 10.10.6.26 +biganswer.big. 60 IN A 10.10.6.27 +biganswer.big. 60 IN A 10.10.6.28 +biganswer.big. 60 IN A 10.10.6.29 +biganswer.big. 60 IN A 10.10.6.30 +biganswer.big. 60 IN A 10.10.6.31 +biganswer.big. 60 IN A 10.10.6.32 +biganswer.big. 60 IN A 10.10.6.33 +biganswer.big. 60 IN A 10.10.6.34 +biganswer.big. 60 IN A 10.10.6.35 +biganswer.big. 60 IN A 10.10.6.36 +biganswer.big. 60 IN A 10.10.6.37 +biganswer.big. 60 IN A 10.10.6.38 +biganswer.big. 60 IN A 10.10.6.39 +biganswer.big. 60 IN A 10.10.6.40 +biganswer.big. 60 IN A 10.10.6.41 +biganswer.big. 60 IN A 10.10.6.42 +biganswer.big. 60 IN A 10.10.6.43 +biganswer.big. 60 IN A 10.10.6.44 +biganswer.big. 60 IN A 10.10.6.45 +biganswer.big. 60 IN A 10.10.6.46 +biganswer.big. 60 IN A 10.10.6.47 +biganswer.big. 60 IN A 10.10.6.48 +biganswer.big. 60 IN A 10.10.6.49 +biganswer.big. 60 IN A 10.10.6.50 +biganswer.big. 60 IN A 10.10.7.1 +biganswer.big. 60 IN A 10.10.7.2 +biganswer.big. 60 IN A 10.10.7.3 +biganswer.big. 60 IN A 10.10.7.4 +biganswer.big. 60 IN A 10.10.7.5 +biganswer.big. 60 IN A 10.10.7.6 +biganswer.big. 60 IN A 10.10.7.7 +biganswer.big. 60 IN A 10.10.7.8 +biganswer.big. 60 IN A 10.10.7.9 +biganswer.big. 60 IN A 10.10.7.10 +biganswer.big. 60 IN A 10.10.7.11 +biganswer.big. 60 IN A 10.10.7.12 +biganswer.big. 60 IN A 10.10.7.13 +biganswer.big. 60 IN A 10.10.7.14 +biganswer.big. 60 IN A 10.10.7.15 +biganswer.big. 60 IN A 10.10.7.16 +biganswer.big. 60 IN A 10.10.7.17 +biganswer.big. 60 IN A 10.10.7.18 +biganswer.big. 60 IN A 10.10.7.19 +biganswer.big. 60 IN A 10.10.7.20 +biganswer.big. 60 IN A 10.10.7.21 +biganswer.big. 60 IN A 10.10.7.22 +biganswer.big. 60 IN A 10.10.7.23 +biganswer.big. 60 IN A 10.10.7.24 +biganswer.big. 60 IN A 10.10.7.25 +biganswer.big. 60 IN A 10.10.7.26 +biganswer.big. 60 IN A 10.10.7.27 +biganswer.big. 60 IN A 10.10.7.28 +biganswer.big. 60 IN A 10.10.7.29 +biganswer.big. 60 IN A 10.10.7.30 +biganswer.big. 60 IN A 10.10.7.31 +biganswer.big. 60 IN A 10.10.7.32 +biganswer.big. 60 IN A 10.10.7.33 +biganswer.big. 60 IN A 10.10.7.34 +biganswer.big. 60 IN A 10.10.7.35 +biganswer.big. 60 IN A 10.10.7.36 +biganswer.big. 60 IN A 10.10.7.37 +biganswer.big. 60 IN A 10.10.7.38 +biganswer.big. 60 IN A 10.10.7.39 +biganswer.big. 60 IN A 10.10.7.40 +biganswer.big. 60 IN A 10.10.7.41 +biganswer.big. 60 IN A 10.10.7.42 +biganswer.big. 60 IN A 10.10.7.43 +biganswer.big. 60 IN A 10.10.7.44 +biganswer.big. 60 IN A 10.10.7.45 +biganswer.big. 60 IN A 10.10.7.46 +biganswer.big. 60 IN A 10.10.7.47 +biganswer.big. 60 IN A 10.10.7.48 +biganswer.big. 60 IN A 10.10.7.49 +biganswer.big. 60 IN A 10.10.7.50 +biganswer.big. 60 IN A 10.10.8.1 +biganswer.big. 60 IN A 10.10.8.2 +biganswer.big. 60 IN A 10.10.8.3 +biganswer.big. 60 IN A 10.10.8.4 +biganswer.big. 60 IN A 10.10.8.5 +biganswer.big. 60 IN A 10.10.8.6 +biganswer.big. 60 IN A 10.10.8.7 +biganswer.big. 60 IN A 10.10.8.8 +biganswer.big. 60 IN A 10.10.8.9 +biganswer.big. 60 IN A 10.10.8.10 +biganswer.big. 60 IN A 10.10.8.11 +biganswer.big. 60 IN A 10.10.8.12 +biganswer.big. 60 IN A 10.10.8.13 +biganswer.big. 60 IN A 10.10.8.14 +biganswer.big. 60 IN A 10.10.8.15 +biganswer.big. 60 IN A 10.10.8.16 +biganswer.big. 60 IN A 10.10.8.17 +biganswer.big. 60 IN A 10.10.8.18 +biganswer.big. 60 IN A 10.10.8.19 +biganswer.big. 60 IN A 10.10.8.20 +biganswer.big. 60 IN A 10.10.8.21 +biganswer.big. 60 IN A 10.10.8.22 +biganswer.big. 60 IN A 10.10.8.23 +biganswer.big. 60 IN A 10.10.8.24 +biganswer.big. 60 IN A 10.10.8.25 +biganswer.big. 60 IN A 10.10.8.26 +biganswer.big. 60 IN A 10.10.8.27 +biganswer.big. 60 IN A 10.10.8.28 +biganswer.big. 60 IN A 10.10.8.29 +biganswer.big. 60 IN A 10.10.8.30 +biganswer.big. 60 IN A 10.10.8.31 +biganswer.big. 60 IN A 10.10.8.32 +biganswer.big. 60 IN A 10.10.8.33 +biganswer.big. 60 IN A 10.10.8.34 +biganswer.big. 60 IN A 10.10.8.35 +biganswer.big. 60 IN A 10.10.8.36 +biganswer.big. 60 IN A 10.10.8.37 +biganswer.big. 60 IN A 10.10.8.38 +biganswer.big. 60 IN A 10.10.8.39 +biganswer.big. 60 IN A 10.10.8.40 +biganswer.big. 60 IN A 10.10.8.41 +biganswer.big. 60 IN A 10.10.8.42 +biganswer.big. 60 IN A 10.10.8.43 +biganswer.big. 60 IN A 10.10.8.44 +biganswer.big. 60 IN A 10.10.8.45 +biganswer.big. 60 IN A 10.10.8.46 +biganswer.big. 60 IN A 10.10.8.47 +biganswer.big. 60 IN A 10.10.8.48 +biganswer.big. 60 IN A 10.10.8.49 +biganswer.big. 60 IN A 10.10.8.50 +biganswer.big. 60 IN A 10.10.9.1 +biganswer.big. 60 IN A 10.10.9.2 +biganswer.big. 60 IN A 10.10.9.3 +biganswer.big. 60 IN A 10.10.9.4 +biganswer.big. 60 IN A 10.10.9.5 +biganswer.big. 60 IN A 10.10.9.6 +biganswer.big. 60 IN A 10.10.9.7 +biganswer.big. 60 IN A 10.10.9.8 +biganswer.big. 60 IN A 10.10.9.9 +biganswer.big. 60 IN A 10.10.9.10 +biganswer.big. 60 IN A 10.10.9.11 +biganswer.big. 60 IN A 10.10.9.12 +biganswer.big. 60 IN A 10.10.9.13 +biganswer.big. 60 IN A 10.10.9.14 +biganswer.big. 60 IN A 10.10.9.15 +biganswer.big. 60 IN A 10.10.9.16 +biganswer.big. 60 IN A 10.10.9.17 +biganswer.big. 60 IN A 10.10.9.18 +biganswer.big. 60 IN A 10.10.9.19 +biganswer.big. 60 IN A 10.10.9.20 +biganswer.big. 60 IN A 10.10.9.21 +biganswer.big. 60 IN A 10.10.9.22 +biganswer.big. 60 IN A 10.10.9.23 +biganswer.big. 60 IN A 10.10.9.24 +biganswer.big. 60 IN A 10.10.9.25 +biganswer.big. 60 IN A 10.10.9.26 +biganswer.big. 60 IN A 10.10.9.27 +biganswer.big. 60 IN A 10.10.9.28 +biganswer.big. 60 IN A 10.10.9.29 +biganswer.big. 60 IN A 10.10.9.30 +biganswer.big. 60 IN A 10.10.9.31 +biganswer.big. 60 IN A 10.10.9.32 +biganswer.big. 60 IN A 10.10.9.33 +biganswer.big. 60 IN A 10.10.9.34 +biganswer.big. 60 IN A 10.10.9.35 +biganswer.big. 60 IN A 10.10.9.36 +biganswer.big. 60 IN A 10.10.9.37 +biganswer.big. 60 IN A 10.10.9.38 +biganswer.big. 60 IN A 10.10.9.39 +biganswer.big. 60 IN A 10.10.9.40 +biganswer.big. 60 IN A 10.10.9.41 +biganswer.big. 60 IN A 10.10.9.42 +biganswer.big. 60 IN A 10.10.9.43 +biganswer.big. 60 IN A 10.10.9.44 +biganswer.big. 60 IN A 10.10.9.45 +biganswer.big. 60 IN A 10.10.9.46 +biganswer.big. 60 IN A 10.10.9.47 +biganswer.big. 60 IN A 10.10.9.48 +biganswer.big. 60 IN A 10.10.9.49 +biganswer.big. 60 IN A 10.10.9.50 +biganswer.big. 60 IN A 10.10.10.1 +biganswer.big. 60 IN A 10.10.10.2 +biganswer.big. 60 IN A 10.10.10.3 +biganswer.big. 60 IN A 10.10.10.4 +biganswer.big. 60 IN A 10.10.10.5 +biganswer.big. 60 IN A 10.10.10.6 +biganswer.big. 60 IN A 10.10.10.7 +biganswer.big. 60 IN A 10.10.10.8 +biganswer.big. 60 IN A 10.10.10.9 +biganswer.big. 60 IN A 10.10.10.10 +biganswer.big. 60 IN A 10.10.10.11 +biganswer.big. 60 IN A 10.10.10.12 +biganswer.big. 60 IN A 10.10.10.13 +biganswer.big. 60 IN A 10.10.10.14 +biganswer.big. 60 IN A 10.10.10.15 +biganswer.big. 60 IN A 10.10.10.16 +biganswer.big. 60 IN A 10.10.10.17 +biganswer.big. 60 IN A 10.10.10.18 +biganswer.big. 60 IN A 10.10.10.19 +biganswer.big. 60 IN A 10.10.10.20 +biganswer.big. 60 IN A 10.10.10.21 +biganswer.big. 60 IN A 10.10.10.22 +biganswer.big. 60 IN A 10.10.10.23 +biganswer.big. 60 IN A 10.10.10.24 +biganswer.big. 60 IN A 10.10.10.25 +biganswer.big. 60 IN A 10.10.10.26 +biganswer.big. 60 IN A 10.10.10.27 +biganswer.big. 60 IN A 10.10.10.28 +biganswer.big. 60 IN A 10.10.10.29 +biganswer.big. 60 IN A 10.10.10.30 +biganswer.big. 60 IN A 10.10.10.31 +biganswer.big. 60 IN A 10.10.10.32 +biganswer.big. 60 IN A 10.10.10.33 +biganswer.big. 60 IN A 10.10.10.34 +biganswer.big. 60 IN A 10.10.10.35 +biganswer.big. 60 IN A 10.10.10.36 +biganswer.big. 60 IN A 10.10.10.37 +biganswer.big. 60 IN A 10.10.10.38 +biganswer.big. 60 IN A 10.10.10.39 +biganswer.big. 60 IN A 10.10.10.40 +biganswer.big. 60 IN A 10.10.10.41 +biganswer.big. 60 IN A 10.10.10.42 +biganswer.big. 60 IN A 10.10.10.43 +biganswer.big. 60 IN A 10.10.10.44 +biganswer.big. 60 IN A 10.10.10.45 +biganswer.big. 60 IN A 10.10.10.46 +biganswer.big. 60 IN A 10.10.10.47 +biganswer.big. 60 IN A 10.10.10.48 +biganswer.big. 60 IN A 10.10.10.49 +biganswer.big. 60 IN A 10.10.10.50 +biganswer.big. 60 IN A 10.10.11.1 +biganswer.big. 60 IN A 10.10.11.2 +biganswer.big. 60 IN A 10.10.11.3 +biganswer.big. 60 IN A 10.10.11.4 +biganswer.big. 60 IN A 10.10.11.5 +biganswer.big. 60 IN A 10.10.11.6 +biganswer.big. 60 IN A 10.10.11.7 +biganswer.big. 60 IN A 10.10.11.8 +biganswer.big. 60 IN A 10.10.11.9 +biganswer.big. 60 IN A 10.10.11.10 +biganswer.big. 60 IN A 10.10.11.11 +biganswer.big. 60 IN A 10.10.11.12 +biganswer.big. 60 IN A 10.10.11.13 +biganswer.big. 60 IN A 10.10.11.14 +biganswer.big. 60 IN A 10.10.11.15 +biganswer.big. 60 IN A 10.10.11.16 +biganswer.big. 60 IN A 10.10.11.17 +biganswer.big. 60 IN A 10.10.11.18 +biganswer.big. 60 IN A 10.10.11.19 +biganswer.big. 60 IN A 10.10.11.20 +biganswer.big. 60 IN A 10.10.11.21 +biganswer.big. 60 IN A 10.10.11.22 +biganswer.big. 60 IN A 10.10.11.23 +biganswer.big. 60 IN A 10.10.11.24 +biganswer.big. 60 IN A 10.10.11.25 +biganswer.big. 60 IN A 10.10.11.26 +biganswer.big. 60 IN A 10.10.11.27 +biganswer.big. 60 IN A 10.10.11.28 +biganswer.big. 60 IN A 10.10.11.29 +biganswer.big. 60 IN A 10.10.11.30 +biganswer.big. 60 IN A 10.10.11.31 +biganswer.big. 60 IN A 10.10.11.32 +biganswer.big. 60 IN A 10.10.11.33 +biganswer.big. 60 IN A 10.10.11.34 +biganswer.big. 60 IN A 10.10.11.35 +biganswer.big. 60 IN A 10.10.11.36 +biganswer.big. 60 IN A 10.10.11.37 +biganswer.big. 60 IN A 10.10.11.38 +biganswer.big. 60 IN A 10.10.11.39 +biganswer.big. 60 IN A 10.10.11.40 +biganswer.big. 60 IN A 10.10.11.41 +biganswer.big. 60 IN A 10.10.11.42 +biganswer.big. 60 IN A 10.10.11.43 +biganswer.big. 60 IN A 10.10.11.44 +biganswer.big. 60 IN A 10.10.11.45 +biganswer.big. 60 IN A 10.10.11.46 +biganswer.big. 60 IN A 10.10.11.47 +biganswer.big. 60 IN A 10.10.11.48 +biganswer.big. 60 IN A 10.10.11.49 +biganswer.big. 60 IN A 10.10.11.50 +biganswer.big. 60 IN A 10.10.12.1 +biganswer.big. 60 IN A 10.10.12.2 +biganswer.big. 60 IN A 10.10.12.3 +biganswer.big. 60 IN A 10.10.12.4 +biganswer.big. 60 IN A 10.10.12.5 +biganswer.big. 60 IN A 10.10.12.6 +biganswer.big. 60 IN A 10.10.12.7 +biganswer.big. 60 IN A 10.10.12.8 +biganswer.big. 60 IN A 10.10.12.9 +biganswer.big. 60 IN A 10.10.12.10 +biganswer.big. 60 IN A 10.10.12.11 +biganswer.big. 60 IN A 10.10.12.12 +biganswer.big. 60 IN A 10.10.12.13 +biganswer.big. 60 IN A 10.10.12.14 +biganswer.big. 60 IN A 10.10.12.15 +biganswer.big. 60 IN A 10.10.12.16 +biganswer.big. 60 IN A 10.10.12.17 +biganswer.big. 60 IN A 10.10.12.18 +biganswer.big. 60 IN A 10.10.12.19 +biganswer.big. 60 IN A 10.10.12.20 +biganswer.big. 60 IN A 10.10.12.21 +biganswer.big. 60 IN A 10.10.12.22 +biganswer.big. 60 IN A 10.10.12.23 +biganswer.big. 60 IN A 10.10.12.24 +biganswer.big. 60 IN A 10.10.12.25 +biganswer.big. 60 IN A 10.10.12.26 +biganswer.big. 60 IN A 10.10.12.27 +biganswer.big. 60 IN A 10.10.12.28 +biganswer.big. 60 IN A 10.10.12.29 +biganswer.big. 60 IN A 10.10.12.30 +biganswer.big. 60 IN A 10.10.12.31 +biganswer.big. 60 IN A 10.10.12.32 +biganswer.big. 60 IN A 10.10.12.33 +biganswer.big. 60 IN A 10.10.12.34 +biganswer.big. 60 IN A 10.10.12.35 +biganswer.big. 60 IN A 10.10.12.36 +biganswer.big. 60 IN A 10.10.12.37 +biganswer.big. 60 IN A 10.10.12.38 +biganswer.big. 60 IN A 10.10.12.39 +biganswer.big. 60 IN A 10.10.12.40 +biganswer.big. 60 IN A 10.10.12.41 +biganswer.big. 60 IN A 10.10.12.42 +biganswer.big. 60 IN A 10.10.12.43 +biganswer.big. 60 IN A 10.10.12.44 +biganswer.big. 60 IN A 10.10.12.45 +biganswer.big. 60 IN A 10.10.12.46 +biganswer.big. 60 IN A 10.10.12.47 +biganswer.big. 60 IN A 10.10.12.48 +biganswer.big. 60 IN A 10.10.12.49 +biganswer.big. 60 IN A 10.10.12.50 +biganswer.big. 60 IN A 10.10.13.1 +biganswer.big. 60 IN A 10.10.13.2 +biganswer.big. 60 IN A 10.10.13.3 +biganswer.big. 60 IN A 10.10.13.4 +biganswer.big. 60 IN A 10.10.13.5 +biganswer.big. 60 IN A 10.10.13.6 +biganswer.big. 60 IN A 10.10.13.7 +biganswer.big. 60 IN A 10.10.13.8 +biganswer.big. 60 IN A 10.10.13.9 +biganswer.big. 60 IN A 10.10.13.10 +biganswer.big. 60 IN A 10.10.13.11 +biganswer.big. 60 IN A 10.10.13.12 +biganswer.big. 60 IN A 10.10.13.13 +biganswer.big. 60 IN A 10.10.13.14 +biganswer.big. 60 IN A 10.10.13.15 +biganswer.big. 60 IN A 10.10.13.16 +biganswer.big. 60 IN A 10.10.13.17 +biganswer.big. 60 IN A 10.10.13.18 +biganswer.big. 60 IN A 10.10.13.19 +biganswer.big. 60 IN A 10.10.13.20 +biganswer.big. 60 IN A 10.10.13.21 +biganswer.big. 60 IN A 10.10.13.22 +biganswer.big. 60 IN A 10.10.13.23 +biganswer.big. 60 IN A 10.10.13.24 +biganswer.big. 60 IN A 10.10.13.25 +biganswer.big. 60 IN A 10.10.13.26 +biganswer.big. 60 IN A 10.10.13.27 +biganswer.big. 60 IN A 10.10.13.28 +biganswer.big. 60 IN A 10.10.13.29 +biganswer.big. 60 IN A 10.10.13.30 +biganswer.big. 60 IN A 10.10.13.31 +biganswer.big. 60 IN A 10.10.13.32 +biganswer.big. 60 IN A 10.10.13.33 +biganswer.big. 60 IN A 10.10.13.34 +biganswer.big. 60 IN A 10.10.13.35 +biganswer.big. 60 IN A 10.10.13.36 +biganswer.big. 60 IN A 10.10.13.37 +biganswer.big. 60 IN A 10.10.13.38 +biganswer.big. 60 IN A 10.10.13.39 +biganswer.big. 60 IN A 10.10.13.40 +biganswer.big. 60 IN A 10.10.13.41 +biganswer.big. 60 IN A 10.10.13.42 +biganswer.big. 60 IN A 10.10.13.43 +biganswer.big. 60 IN A 10.10.13.44 +biganswer.big. 60 IN A 10.10.13.45 +biganswer.big. 60 IN A 10.10.13.46 +biganswer.big. 60 IN A 10.10.13.47 +biganswer.big. 60 IN A 10.10.13.48 +biganswer.big. 60 IN A 10.10.13.49 +biganswer.big. 60 IN A 10.10.13.50 +biganswer.big. 60 IN A 10.10.14.1 +biganswer.big. 60 IN A 10.10.14.2 +biganswer.big. 60 IN A 10.10.14.3 +biganswer.big. 60 IN A 10.10.14.4 +biganswer.big. 60 IN A 10.10.14.5 +biganswer.big. 60 IN A 10.10.14.6 +biganswer.big. 60 IN A 10.10.14.7 +biganswer.big. 60 IN A 10.10.14.8 +biganswer.big. 60 IN A 10.10.14.9 +biganswer.big. 60 IN A 10.10.14.10 +biganswer.big. 60 IN A 10.10.14.11 +biganswer.big. 60 IN A 10.10.14.12 +biganswer.big. 60 IN A 10.10.14.13 +biganswer.big. 60 IN A 10.10.14.14 +biganswer.big. 60 IN A 10.10.14.15 +biganswer.big. 60 IN A 10.10.14.16 +biganswer.big. 60 IN A 10.10.14.17 +biganswer.big. 60 IN A 10.10.14.18 +biganswer.big. 60 IN A 10.10.14.19 +biganswer.big. 60 IN A 10.10.14.20 +biganswer.big. 60 IN A 10.10.14.21 +biganswer.big. 60 IN A 10.10.14.22 +biganswer.big. 60 IN A 10.10.14.23 +biganswer.big. 60 IN A 10.10.14.24 +biganswer.big. 60 IN A 10.10.14.25 +biganswer.big. 60 IN A 10.10.14.26 +biganswer.big. 60 IN A 10.10.14.27 +biganswer.big. 60 IN A 10.10.14.28 +biganswer.big. 60 IN A 10.10.14.29 +biganswer.big. 60 IN A 10.10.14.30 +biganswer.big. 60 IN A 10.10.14.31 +biganswer.big. 60 IN A 10.10.14.32 +biganswer.big. 60 IN A 10.10.14.33 +biganswer.big. 60 IN A 10.10.14.34 +biganswer.big. 60 IN A 10.10.14.35 +biganswer.big. 60 IN A 10.10.14.36 +biganswer.big. 60 IN A 10.10.14.37 +biganswer.big. 60 IN A 10.10.14.38 +biganswer.big. 60 IN A 10.10.14.39 +biganswer.big. 60 IN A 10.10.14.40 +biganswer.big. 60 IN A 10.10.14.41 +biganswer.big. 60 IN A 10.10.14.42 +biganswer.big. 60 IN A 10.10.14.43 +biganswer.big. 60 IN A 10.10.14.44 +biganswer.big. 60 IN A 10.10.14.45 +biganswer.big. 60 IN A 10.10.14.46 +biganswer.big. 60 IN A 10.10.14.47 +biganswer.big. 60 IN A 10.10.14.48 +biganswer.big. 60 IN A 10.10.14.49 +biganswer.big. 60 IN A 10.10.14.50 +biganswer.big. 60 IN A 10.10.15.1 +biganswer.big. 60 IN A 10.10.15.2 +biganswer.big. 60 IN A 10.10.15.3 +biganswer.big. 60 IN A 10.10.15.4 +biganswer.big. 60 IN A 10.10.15.5 +biganswer.big. 60 IN A 10.10.15.6 +biganswer.big. 60 IN A 10.10.15.7 +biganswer.big. 60 IN A 10.10.15.8 +biganswer.big. 60 IN A 10.10.15.9 +biganswer.big. 60 IN A 10.10.15.10 +biganswer.big. 60 IN A 10.10.15.11 +biganswer.big. 60 IN A 10.10.15.12 +biganswer.big. 60 IN A 10.10.15.13 +biganswer.big. 60 IN A 10.10.15.14 +biganswer.big. 60 IN A 10.10.15.15 +biganswer.big. 60 IN A 10.10.15.16 +biganswer.big. 60 IN A 10.10.15.17 +biganswer.big. 60 IN A 10.10.15.18 +biganswer.big. 60 IN A 10.10.15.19 +biganswer.big. 60 IN A 10.10.15.20 +biganswer.big. 60 IN A 10.10.15.21 +biganswer.big. 60 IN A 10.10.15.22 +biganswer.big. 60 IN A 10.10.15.23 +biganswer.big. 60 IN A 10.10.15.24 +biganswer.big. 60 IN A 10.10.15.25 +biganswer.big. 60 IN A 10.10.15.26 +biganswer.big. 60 IN A 10.10.15.27 +biganswer.big. 60 IN A 10.10.15.28 +biganswer.big. 60 IN A 10.10.15.29 +biganswer.big. 60 IN A 10.10.15.30 +biganswer.big. 60 IN A 10.10.15.31 +biganswer.big. 60 IN A 10.10.15.32 +biganswer.big. 60 IN A 10.10.15.33 +biganswer.big. 60 IN A 10.10.15.34 +biganswer.big. 60 IN A 10.10.15.35 +biganswer.big. 60 IN A 10.10.15.36 +biganswer.big. 60 IN A 10.10.15.37 +biganswer.big. 60 IN A 10.10.15.38 +biganswer.big. 60 IN A 10.10.15.39 +biganswer.big. 60 IN A 10.10.15.40 +biganswer.big. 60 IN A 10.10.15.41 +biganswer.big. 60 IN A 10.10.15.42 +biganswer.big. 60 IN A 10.10.15.43 +biganswer.big. 60 IN A 10.10.15.44 +biganswer.big. 60 IN A 10.10.15.45 +biganswer.big. 60 IN A 10.10.15.46 +biganswer.big. 60 IN A 10.10.15.47 +biganswer.big. 60 IN A 10.10.15.48 +biganswer.big. 60 IN A 10.10.15.49 +biganswer.big. 60 IN A 10.10.15.50 +biganswer.big. 60 IN A 10.10.16.1 +biganswer.big. 60 IN A 10.10.16.2 +biganswer.big. 60 IN A 10.10.16.3 +biganswer.big. 60 IN A 10.10.16.4 +biganswer.big. 60 IN A 10.10.16.5 +biganswer.big. 60 IN A 10.10.16.6 +biganswer.big. 60 IN A 10.10.16.7 +biganswer.big. 60 IN A 10.10.16.8 +biganswer.big. 60 IN A 10.10.16.9 +biganswer.big. 60 IN A 10.10.16.10 +biganswer.big. 60 IN A 10.10.16.11 +biganswer.big. 60 IN A 10.10.16.12 +biganswer.big. 60 IN A 10.10.16.13 +biganswer.big. 60 IN A 10.10.16.14 +biganswer.big. 60 IN A 10.10.16.15 +biganswer.big. 60 IN A 10.10.16.16 +biganswer.big. 60 IN A 10.10.16.17 +biganswer.big. 60 IN A 10.10.16.18 +biganswer.big. 60 IN A 10.10.16.19 +biganswer.big. 60 IN A 10.10.16.20 +biganswer.big. 60 IN A 10.10.16.21 +biganswer.big. 60 IN A 10.10.16.22 +biganswer.big. 60 IN A 10.10.16.23 +biganswer.big. 60 IN A 10.10.16.24 +biganswer.big. 60 IN A 10.10.16.25 +biganswer.big. 60 IN A 10.10.16.26 +biganswer.big. 60 IN A 10.10.16.27 +biganswer.big. 60 IN A 10.10.16.28 +biganswer.big. 60 IN A 10.10.16.29 +biganswer.big. 60 IN A 10.10.16.30 +biganswer.big. 60 IN A 10.10.16.31 +biganswer.big. 60 IN A 10.10.16.32 +biganswer.big. 60 IN A 10.10.16.33 +biganswer.big. 60 IN A 10.10.16.34 +biganswer.big. 60 IN A 10.10.16.35 +biganswer.big. 60 IN A 10.10.16.36 +biganswer.big. 60 IN A 10.10.16.37 +biganswer.big. 60 IN A 10.10.16.38 +biganswer.big. 60 IN A 10.10.16.39 +biganswer.big. 60 IN A 10.10.16.40 +biganswer.big. 60 IN A 10.10.16.41 +biganswer.big. 60 IN A 10.10.16.42 +biganswer.big. 60 IN A 10.10.16.43 +biganswer.big. 60 IN A 10.10.16.44 +biganswer.big. 60 IN A 10.10.16.45 +biganswer.big. 60 IN A 10.10.16.46 +biganswer.big. 60 IN A 10.10.16.47 +biganswer.big. 60 IN A 10.10.16.48 +biganswer.big. 60 IN A 10.10.16.49 +biganswer.big. 60 IN A 10.10.16.50 +biganswer.big. 60 IN A 10.10.17.1 +biganswer.big. 60 IN A 10.10.17.2 +biganswer.big. 60 IN A 10.10.17.3 +biganswer.big. 60 IN A 10.10.17.4 +biganswer.big. 60 IN A 10.10.17.5 +biganswer.big. 60 IN A 10.10.17.6 +biganswer.big. 60 IN A 10.10.17.7 +biganswer.big. 60 IN A 10.10.17.8 +biganswer.big. 60 IN A 10.10.17.9 +biganswer.big. 60 IN A 10.10.17.10 +biganswer.big. 60 IN A 10.10.17.11 +biganswer.big. 60 IN A 10.10.17.12 +biganswer.big. 60 IN A 10.10.17.13 +biganswer.big. 60 IN A 10.10.17.14 +biganswer.big. 60 IN A 10.10.17.15 +biganswer.big. 60 IN A 10.10.17.16 +biganswer.big. 60 IN A 10.10.17.17 +biganswer.big. 60 IN A 10.10.17.18 +biganswer.big. 60 IN A 10.10.17.19 +biganswer.big. 60 IN A 10.10.17.20 +biganswer.big. 60 IN A 10.10.17.21 +biganswer.big. 60 IN A 10.10.17.22 +biganswer.big. 60 IN A 10.10.17.23 +biganswer.big. 60 IN A 10.10.17.24 +biganswer.big. 60 IN A 10.10.17.25 +biganswer.big. 60 IN A 10.10.17.26 +biganswer.big. 60 IN A 10.10.17.27 +biganswer.big. 60 IN A 10.10.17.28 +biganswer.big. 60 IN A 10.10.17.29 +biganswer.big. 60 IN A 10.10.17.30 +biganswer.big. 60 IN A 10.10.17.31 +biganswer.big. 60 IN A 10.10.17.32 +biganswer.big. 60 IN A 10.10.17.33 +biganswer.big. 60 IN A 10.10.17.34 +biganswer.big. 60 IN A 10.10.17.35 +biganswer.big. 60 IN A 10.10.17.36 +biganswer.big. 60 IN A 10.10.17.37 +biganswer.big. 60 IN A 10.10.17.38 +biganswer.big. 60 IN A 10.10.17.39 +biganswer.big. 60 IN A 10.10.17.40 +biganswer.big. 60 IN A 10.10.17.41 +biganswer.big. 60 IN A 10.10.17.42 +biganswer.big. 60 IN A 10.10.17.43 +biganswer.big. 60 IN A 10.10.17.44 +biganswer.big. 60 IN A 10.10.17.45 +biganswer.big. 60 IN A 10.10.17.46 +biganswer.big. 60 IN A 10.10.17.47 +biganswer.big. 60 IN A 10.10.17.48 +biganswer.big. 60 IN A 10.10.17.49 +biganswer.big. 60 IN A 10.10.17.50 +biganswer.big. 60 IN A 10.10.18.1 +biganswer.big. 60 IN A 10.10.18.2 +biganswer.big. 60 IN A 10.10.18.3 +biganswer.big. 60 IN A 10.10.18.4 +biganswer.big. 60 IN A 10.10.18.5 +biganswer.big. 60 IN A 10.10.18.6 +biganswer.big. 60 IN A 10.10.18.7 +biganswer.big. 60 IN A 10.10.18.8 +biganswer.big. 60 IN A 10.10.18.9 +biganswer.big. 60 IN A 10.10.18.10 +biganswer.big. 60 IN A 10.10.18.11 +biganswer.big. 60 IN A 10.10.18.12 +biganswer.big. 60 IN A 10.10.18.13 +biganswer.big. 60 IN A 10.10.18.14 +biganswer.big. 60 IN A 10.10.18.15 +biganswer.big. 60 IN A 10.10.18.16 +biganswer.big. 60 IN A 10.10.18.17 +biganswer.big. 60 IN A 10.10.18.18 +biganswer.big. 60 IN A 10.10.18.19 +biganswer.big. 60 IN A 10.10.18.20 +biganswer.big. 60 IN A 10.10.18.21 +biganswer.big. 60 IN A 10.10.18.22 +biganswer.big. 60 IN A 10.10.18.23 +biganswer.big. 60 IN A 10.10.18.24 +biganswer.big. 60 IN A 10.10.18.25 +biganswer.big. 60 IN A 10.10.18.26 +biganswer.big. 60 IN A 10.10.18.27 +biganswer.big. 60 IN A 10.10.18.28 +biganswer.big. 60 IN A 10.10.18.29 +biganswer.big. 60 IN A 10.10.18.30 +biganswer.big. 60 IN A 10.10.18.31 +biganswer.big. 60 IN A 10.10.18.32 +biganswer.big. 60 IN A 10.10.18.33 +biganswer.big. 60 IN A 10.10.18.34 +biganswer.big. 60 IN A 10.10.18.35 +biganswer.big. 60 IN A 10.10.18.36 +biganswer.big. 60 IN A 10.10.18.37 +biganswer.big. 60 IN A 10.10.18.38 +biganswer.big. 60 IN A 10.10.18.39 +biganswer.big. 60 IN A 10.10.18.40 +biganswer.big. 60 IN A 10.10.18.41 +biganswer.big. 60 IN A 10.10.18.42 +biganswer.big. 60 IN A 10.10.18.43 +biganswer.big. 60 IN A 10.10.18.44 +biganswer.big. 60 IN A 10.10.18.45 +biganswer.big. 60 IN A 10.10.18.46 +biganswer.big. 60 IN A 10.10.18.47 +biganswer.big. 60 IN A 10.10.18.48 +biganswer.big. 60 IN A 10.10.18.49 +biganswer.big. 60 IN A 10.10.18.50 +biganswer.big. 60 IN A 10.10.19.1 +biganswer.big. 60 IN A 10.10.19.2 +biganswer.big. 60 IN A 10.10.19.3 +biganswer.big. 60 IN A 10.10.19.4 +biganswer.big. 60 IN A 10.10.19.5 +biganswer.big. 60 IN A 10.10.19.6 +biganswer.big. 60 IN A 10.10.19.7 +biganswer.big. 60 IN A 10.10.19.8 +biganswer.big. 60 IN A 10.10.19.9 +biganswer.big. 60 IN A 10.10.19.10 +biganswer.big. 60 IN A 10.10.19.11 +biganswer.big. 60 IN A 10.10.19.12 +biganswer.big. 60 IN A 10.10.19.13 +biganswer.big. 60 IN A 10.10.19.14 +biganswer.big. 60 IN A 10.10.19.15 +biganswer.big. 60 IN A 10.10.19.16 +biganswer.big. 60 IN A 10.10.19.17 +biganswer.big. 60 IN A 10.10.19.18 +biganswer.big. 60 IN A 10.10.19.19 +biganswer.big. 60 IN A 10.10.19.20 +biganswer.big. 60 IN A 10.10.19.21 +biganswer.big. 60 IN A 10.10.19.22 +biganswer.big. 60 IN A 10.10.19.23 +biganswer.big. 60 IN A 10.10.19.24 +biganswer.big. 60 IN A 10.10.19.25 +biganswer.big. 60 IN A 10.10.19.26 +biganswer.big. 60 IN A 10.10.19.27 +biganswer.big. 60 IN A 10.10.19.28 +biganswer.big. 60 IN A 10.10.19.29 +biganswer.big. 60 IN A 10.10.19.30 +biganswer.big. 60 IN A 10.10.19.31 +biganswer.big. 60 IN A 10.10.19.32 +biganswer.big. 60 IN A 10.10.19.33 +biganswer.big. 60 IN A 10.10.19.34 +biganswer.big. 60 IN A 10.10.19.35 +biganswer.big. 60 IN A 10.10.19.36 +biganswer.big. 60 IN A 10.10.19.37 +biganswer.big. 60 IN A 10.10.19.38 +biganswer.big. 60 IN A 10.10.19.39 +biganswer.big. 60 IN A 10.10.19.40 +biganswer.big. 60 IN A 10.10.19.41 +biganswer.big. 60 IN A 10.10.19.42 +biganswer.big. 60 IN A 10.10.19.43 +biganswer.big. 60 IN A 10.10.19.44 +biganswer.big. 60 IN A 10.10.19.45 +biganswer.big. 60 IN A 10.10.19.46 +biganswer.big. 60 IN A 10.10.19.47 +biganswer.big. 60 IN A 10.10.19.48 +biganswer.big. 60 IN A 10.10.19.49 +biganswer.big. 60 IN A 10.10.19.50 +biganswer.big. 60 IN A 10.10.20.1 +biganswer.big. 60 IN A 10.10.20.2 +biganswer.big. 60 IN A 10.10.20.3 +biganswer.big. 60 IN A 10.10.20.4 +biganswer.big. 60 IN A 10.10.20.5 +biganswer.big. 60 IN A 10.10.20.6 +biganswer.big. 60 IN A 10.10.20.7 +biganswer.big. 60 IN A 10.10.20.8 +biganswer.big. 60 IN A 10.10.20.9 +biganswer.big. 60 IN A 10.10.20.10 +biganswer.big. 60 IN A 10.10.20.11 +biganswer.big. 60 IN A 10.10.20.12 +biganswer.big. 60 IN A 10.10.20.13 +biganswer.big. 60 IN A 10.10.20.14 +biganswer.big. 60 IN A 10.10.20.15 +biganswer.big. 60 IN A 10.10.20.16 +biganswer.big. 60 IN A 10.10.20.17 +biganswer.big. 60 IN A 10.10.20.18 +biganswer.big. 60 IN A 10.10.20.19 +biganswer.big. 60 IN A 10.10.20.20 +biganswer.big. 60 IN A 10.10.20.21 +biganswer.big. 60 IN A 10.10.20.22 +biganswer.big. 60 IN A 10.10.20.23 +biganswer.big. 60 IN A 10.10.20.24 +biganswer.big. 60 IN A 10.10.20.25 +biganswer.big. 60 IN A 10.10.20.26 +biganswer.big. 60 IN A 10.10.20.27 +biganswer.big. 60 IN A 10.10.20.28 +biganswer.big. 60 IN A 10.10.20.29 +biganswer.big. 60 IN A 10.10.20.30 +biganswer.big. 60 IN A 10.10.20.31 +biganswer.big. 60 IN A 10.10.20.32 +biganswer.big. 60 IN A 10.10.20.33 +biganswer.big. 60 IN A 10.10.20.34 +biganswer.big. 60 IN A 10.10.20.35 +biganswer.big. 60 IN A 10.10.20.36 +biganswer.big. 60 IN A 10.10.20.37 +biganswer.big. 60 IN A 10.10.20.38 +biganswer.big. 60 IN A 10.10.20.39 +biganswer.big. 60 IN A 10.10.20.40 +biganswer.big. 60 IN A 10.10.20.41 +biganswer.big. 60 IN A 10.10.20.42 +biganswer.big. 60 IN A 10.10.20.43 +biganswer.big. 60 IN A 10.10.20.44 +biganswer.big. 60 IN A 10.10.20.45 +biganswer.big. 60 IN A 10.10.20.46 +biganswer.big. 60 IN A 10.10.20.47 +biganswer.big. 60 IN A 10.10.20.48 +biganswer.big. 60 IN A 10.10.20.49 +biganswer.big. 60 IN A 10.10.20.50 +biganswer.big. 60 IN A 10.10.21.1 +biganswer.big. 60 IN A 10.10.21.2 +biganswer.big. 60 IN A 10.10.21.3 +biganswer.big. 60 IN A 10.10.21.4 +biganswer.big. 60 IN A 10.10.21.5 +biganswer.big. 60 IN A 10.10.21.6 +biganswer.big. 60 IN A 10.10.21.7 +biganswer.big. 60 IN A 10.10.21.8 +biganswer.big. 60 IN A 10.10.21.9 +biganswer.big. 60 IN A 10.10.21.10 +biganswer.big. 60 IN A 10.10.21.11 +biganswer.big. 60 IN A 10.10.21.12 +biganswer.big. 60 IN A 10.10.21.13 +biganswer.big. 60 IN A 10.10.21.14 +biganswer.big. 60 IN A 10.10.21.15 +biganswer.big. 60 IN A 10.10.21.16 +biganswer.big. 60 IN A 10.10.21.17 +biganswer.big. 60 IN A 10.10.21.18 +biganswer.big. 60 IN A 10.10.21.19 +biganswer.big. 60 IN A 10.10.21.20 +biganswer.big. 60 IN A 10.10.21.21 +biganswer.big. 60 IN A 10.10.21.22 +biganswer.big. 60 IN A 10.10.21.23 +biganswer.big. 60 IN A 10.10.21.24 +biganswer.big. 60 IN A 10.10.21.25 +biganswer.big. 60 IN A 10.10.21.26 +biganswer.big. 60 IN A 10.10.21.27 +biganswer.big. 60 IN A 10.10.21.28 +biganswer.big. 60 IN A 10.10.21.29 +biganswer.big. 60 IN A 10.10.21.30 +biganswer.big. 60 IN A 10.10.21.31 +biganswer.big. 60 IN A 10.10.21.32 +biganswer.big. 60 IN A 10.10.21.33 +biganswer.big. 60 IN A 10.10.21.34 +biganswer.big. 60 IN A 10.10.21.35 +biganswer.big. 60 IN A 10.10.21.36 +biganswer.big. 60 IN A 10.10.21.37 +biganswer.big. 60 IN A 10.10.21.38 +biganswer.big. 60 IN A 10.10.21.39 +biganswer.big. 60 IN A 10.10.21.40 +biganswer.big. 60 IN A 10.10.21.41 +biganswer.big. 60 IN A 10.10.21.42 +biganswer.big. 60 IN A 10.10.21.43 +biganswer.big. 60 IN A 10.10.21.44 +biganswer.big. 60 IN A 10.10.21.45 +biganswer.big. 60 IN A 10.10.21.46 +biganswer.big. 60 IN A 10.10.21.47 +biganswer.big. 60 IN A 10.10.21.48 +biganswer.big. 60 IN A 10.10.21.49 +biganswer.big. 60 IN A 10.10.21.50 +biganswer.big. 60 IN A 10.10.22.1 +biganswer.big. 60 IN A 10.10.22.2 +biganswer.big. 60 IN A 10.10.22.3 +biganswer.big. 60 IN A 10.10.22.4 +biganswer.big. 60 IN A 10.10.22.5 +biganswer.big. 60 IN A 10.10.22.6 +biganswer.big. 60 IN A 10.10.22.7 +biganswer.big. 60 IN A 10.10.22.8 +biganswer.big. 60 IN A 10.10.22.9 +biganswer.big. 60 IN A 10.10.22.10 +biganswer.big. 60 IN A 10.10.22.11 +biganswer.big. 60 IN A 10.10.22.12 +biganswer.big. 60 IN A 10.10.22.13 +biganswer.big. 60 IN A 10.10.22.14 +biganswer.big. 60 IN A 10.10.22.15 +biganswer.big. 60 IN A 10.10.22.16 +biganswer.big. 60 IN A 10.10.22.17 +biganswer.big. 60 IN A 10.10.22.18 +biganswer.big. 60 IN A 10.10.22.19 +biganswer.big. 60 IN A 10.10.22.20 +biganswer.big. 60 IN A 10.10.22.21 +biganswer.big. 60 IN A 10.10.22.22 +biganswer.big. 60 IN A 10.10.22.23 +biganswer.big. 60 IN A 10.10.22.24 +biganswer.big. 60 IN A 10.10.22.25 +biganswer.big. 60 IN A 10.10.22.26 +biganswer.big. 60 IN A 10.10.22.27 +biganswer.big. 60 IN A 10.10.22.28 +biganswer.big. 60 IN A 10.10.22.29 +biganswer.big. 60 IN A 10.10.22.30 +biganswer.big. 60 IN A 10.10.22.31 +biganswer.big. 60 IN A 10.10.22.32 +biganswer.big. 60 IN A 10.10.22.33 +biganswer.big. 60 IN A 10.10.22.34 +biganswer.big. 60 IN A 10.10.22.35 +biganswer.big. 60 IN A 10.10.22.36 +biganswer.big. 60 IN A 10.10.22.37 +biganswer.big. 60 IN A 10.10.22.38 +biganswer.big. 60 IN A 10.10.22.39 +biganswer.big. 60 IN A 10.10.22.40 +biganswer.big. 60 IN A 10.10.22.41 +biganswer.big. 60 IN A 10.10.22.42 +biganswer.big. 60 IN A 10.10.22.43 +biganswer.big. 60 IN A 10.10.22.44 +biganswer.big. 60 IN A 10.10.22.45 +biganswer.big. 60 IN A 10.10.22.46 +biganswer.big. 60 IN A 10.10.22.47 +biganswer.big. 60 IN A 10.10.22.48 +biganswer.big. 60 IN A 10.10.22.49 +biganswer.big. 60 IN A 10.10.22.50 +biganswer.big. 60 IN A 10.10.23.1 +biganswer.big. 60 IN A 10.10.23.2 +biganswer.big. 60 IN A 10.10.23.3 +biganswer.big. 60 IN A 10.10.23.4 +biganswer.big. 60 IN A 10.10.23.5 +biganswer.big. 60 IN A 10.10.23.6 +biganswer.big. 60 IN A 10.10.23.7 +biganswer.big. 60 IN A 10.10.23.8 +biganswer.big. 60 IN A 10.10.23.9 +biganswer.big. 60 IN A 10.10.23.10 +biganswer.big. 60 IN A 10.10.23.11 +biganswer.big. 60 IN A 10.10.23.12 +biganswer.big. 60 IN A 10.10.23.13 +biganswer.big. 60 IN A 10.10.23.14 +biganswer.big. 60 IN A 10.10.23.15 +biganswer.big. 60 IN A 10.10.23.16 +biganswer.big. 60 IN A 10.10.23.17 +biganswer.big. 60 IN A 10.10.23.18 +biganswer.big. 60 IN A 10.10.23.19 +biganswer.big. 60 IN A 10.10.23.20 +biganswer.big. 60 IN A 10.10.23.21 +biganswer.big. 60 IN A 10.10.23.22 +biganswer.big. 60 IN A 10.10.23.23 +biganswer.big. 60 IN A 10.10.23.24 +biganswer.big. 60 IN A 10.10.23.25 +biganswer.big. 60 IN A 10.10.23.26 +biganswer.big. 60 IN A 10.10.23.27 +biganswer.big. 60 IN A 10.10.23.28 +biganswer.big. 60 IN A 10.10.23.29 +biganswer.big. 60 IN A 10.10.23.30 +biganswer.big. 60 IN A 10.10.23.31 +biganswer.big. 60 IN A 10.10.23.32 +biganswer.big. 60 IN A 10.10.23.33 +biganswer.big. 60 IN A 10.10.23.34 +biganswer.big. 60 IN A 10.10.23.35 +biganswer.big. 60 IN A 10.10.23.36 +biganswer.big. 60 IN A 10.10.23.37 +biganswer.big. 60 IN A 10.10.23.38 +biganswer.big. 60 IN A 10.10.23.39 +biganswer.big. 60 IN A 10.10.23.40 +biganswer.big. 60 IN A 10.10.23.41 +biganswer.big. 60 IN A 10.10.23.42 +biganswer.big. 60 IN A 10.10.23.43 +biganswer.big. 60 IN A 10.10.23.44 +biganswer.big. 60 IN A 10.10.23.45 +biganswer.big. 60 IN A 10.10.23.46 +biganswer.big. 60 IN A 10.10.23.47 +biganswer.big. 60 IN A 10.10.23.48 +biganswer.big. 60 IN A 10.10.23.49 +biganswer.big. 60 IN A 10.10.23.50 +biganswer.big. 60 IN A 10.10.24.1 +biganswer.big. 60 IN A 10.10.24.2 +biganswer.big. 60 IN A 10.10.24.3 +biganswer.big. 60 IN A 10.10.24.4 +biganswer.big. 60 IN A 10.10.24.5 +biganswer.big. 60 IN A 10.10.24.6 +biganswer.big. 60 IN A 10.10.24.7 +biganswer.big. 60 IN A 10.10.24.8 +biganswer.big. 60 IN A 10.10.24.9 +biganswer.big. 60 IN A 10.10.24.10 +biganswer.big. 60 IN A 10.10.24.11 +biganswer.big. 60 IN A 10.10.24.12 +biganswer.big. 60 IN A 10.10.24.13 +biganswer.big. 60 IN A 10.10.24.14 +biganswer.big. 60 IN A 10.10.24.15 +biganswer.big. 60 IN A 10.10.24.16 +biganswer.big. 60 IN A 10.10.24.17 +biganswer.big. 60 IN A 10.10.24.18 +biganswer.big. 60 IN A 10.10.24.19 +biganswer.big. 60 IN A 10.10.24.20 +biganswer.big. 60 IN A 10.10.24.21 +biganswer.big. 60 IN A 10.10.24.22 +biganswer.big. 60 IN A 10.10.24.23 +biganswer.big. 60 IN A 10.10.24.24 +biganswer.big. 60 IN A 10.10.24.25 +biganswer.big. 60 IN A 10.10.24.26 +biganswer.big. 60 IN A 10.10.24.27 +biganswer.big. 60 IN A 10.10.24.28 +biganswer.big. 60 IN A 10.10.24.29 +biganswer.big. 60 IN A 10.10.24.30 +biganswer.big. 60 IN A 10.10.24.31 +biganswer.big. 60 IN A 10.10.24.32 +biganswer.big. 60 IN A 10.10.24.33 +biganswer.big. 60 IN A 10.10.24.34 +biganswer.big. 60 IN A 10.10.24.35 +biganswer.big. 60 IN A 10.10.24.36 +biganswer.big. 60 IN A 10.10.24.37 +biganswer.big. 60 IN A 10.10.24.38 +biganswer.big. 60 IN A 10.10.24.39 +biganswer.big. 60 IN A 10.10.24.40 +biganswer.big. 60 IN A 10.10.24.41 +biganswer.big. 60 IN A 10.10.24.42 +biganswer.big. 60 IN A 10.10.24.43 +biganswer.big. 60 IN A 10.10.24.44 +biganswer.big. 60 IN A 10.10.24.45 +biganswer.big. 60 IN A 10.10.24.46 +biganswer.big. 60 IN A 10.10.24.47 +biganswer.big. 60 IN A 10.10.24.48 +biganswer.big. 60 IN A 10.10.24.49 +biganswer.big. 60 IN A 10.10.24.50 +biganswer.big. 60 IN A 10.10.25.1 +biganswer.big. 60 IN A 10.10.25.2 +biganswer.big. 60 IN A 10.10.25.3 +biganswer.big. 60 IN A 10.10.25.4 +biganswer.big. 60 IN A 10.10.25.5 +biganswer.big. 60 IN A 10.10.25.6 +biganswer.big. 60 IN A 10.10.25.7 +biganswer.big. 60 IN A 10.10.25.8 +biganswer.big. 60 IN A 10.10.25.9 +biganswer.big. 60 IN A 10.10.25.10 +biganswer.big. 60 IN A 10.10.25.11 +biganswer.big. 60 IN A 10.10.25.12 +biganswer.big. 60 IN A 10.10.25.13 +biganswer.big. 60 IN A 10.10.25.14 +biganswer.big. 60 IN A 10.10.25.15 +biganswer.big. 60 IN A 10.10.25.16 +biganswer.big. 60 IN A 10.10.25.17 +biganswer.big. 60 IN A 10.10.25.18 +biganswer.big. 60 IN A 10.10.25.19 +biganswer.big. 60 IN A 10.10.25.20 +biganswer.big. 60 IN A 10.10.25.21 +biganswer.big. 60 IN A 10.10.25.22 +biganswer.big. 60 IN A 10.10.25.23 +biganswer.big. 60 IN A 10.10.25.24 +biganswer.big. 60 IN A 10.10.25.25 +biganswer.big. 60 IN A 10.10.25.26 +biganswer.big. 60 IN A 10.10.25.27 +biganswer.big. 60 IN A 10.10.25.28 +biganswer.big. 60 IN A 10.10.25.29 +biganswer.big. 60 IN A 10.10.25.30 +biganswer.big. 60 IN A 10.10.25.31 +biganswer.big. 60 IN A 10.10.25.32 +biganswer.big. 60 IN A 10.10.25.33 +biganswer.big. 60 IN A 10.10.25.34 +biganswer.big. 60 IN A 10.10.25.35 +biganswer.big. 60 IN A 10.10.25.36 +biganswer.big. 60 IN A 10.10.25.37 +biganswer.big. 60 IN A 10.10.25.38 +biganswer.big. 60 IN A 10.10.25.39 +biganswer.big. 60 IN A 10.10.25.40 +biganswer.big. 60 IN A 10.10.25.41 +biganswer.big. 60 IN A 10.10.25.42 +biganswer.big. 60 IN A 10.10.25.43 +biganswer.big. 60 IN A 10.10.25.44 +biganswer.big. 60 IN A 10.10.25.45 +biganswer.big. 60 IN A 10.10.25.46 +biganswer.big. 60 IN A 10.10.25.47 +biganswer.big. 60 IN A 10.10.25.48 +biganswer.big. 60 IN A 10.10.25.49 +biganswer.big. 60 IN A 10.10.25.50 +biganswer.big. 60 IN A 10.10.26.1 +biganswer.big. 60 IN A 10.10.26.2 +biganswer.big. 60 IN A 10.10.26.3 +biganswer.big. 60 IN A 10.10.26.4 +biganswer.big. 60 IN A 10.10.26.5 +biganswer.big. 60 IN A 10.10.26.6 +biganswer.big. 60 IN A 10.10.26.7 +biganswer.big. 60 IN A 10.10.26.8 +biganswer.big. 60 IN A 10.10.26.9 +biganswer.big. 60 IN A 10.10.26.10 +biganswer.big. 60 IN A 10.10.26.11 +biganswer.big. 60 IN A 10.10.26.12 +biganswer.big. 60 IN A 10.10.26.13 +biganswer.big. 60 IN A 10.10.26.14 +biganswer.big. 60 IN A 10.10.26.15 +biganswer.big. 60 IN A 10.10.26.16 +biganswer.big. 60 IN A 10.10.26.17 +biganswer.big. 60 IN A 10.10.26.18 +biganswer.big. 60 IN A 10.10.26.19 +biganswer.big. 60 IN A 10.10.26.20 +biganswer.big. 60 IN A 10.10.26.21 +biganswer.big. 60 IN A 10.10.26.22 +biganswer.big. 60 IN A 10.10.26.23 +biganswer.big. 60 IN A 10.10.26.24 +biganswer.big. 60 IN A 10.10.26.25 +biganswer.big. 60 IN A 10.10.26.26 +biganswer.big. 60 IN A 10.10.26.27 +biganswer.big. 60 IN A 10.10.26.28 +biganswer.big. 60 IN A 10.10.26.29 +biganswer.big. 60 IN A 10.10.26.30 +biganswer.big. 60 IN A 10.10.26.31 +biganswer.big. 60 IN A 10.10.26.32 +biganswer.big. 60 IN A 10.10.26.33 +biganswer.big. 60 IN A 10.10.26.34 +biganswer.big. 60 IN A 10.10.26.35 +biganswer.big. 60 IN A 10.10.26.36 +biganswer.big. 60 IN A 10.10.26.37 +biganswer.big. 60 IN A 10.10.26.38 +biganswer.big. 60 IN A 10.10.26.39 +biganswer.big. 60 IN A 10.10.26.40 +biganswer.big. 60 IN A 10.10.26.41 +biganswer.big. 60 IN A 10.10.26.42 +biganswer.big. 60 IN A 10.10.26.43 +biganswer.big. 60 IN A 10.10.26.44 +biganswer.big. 60 IN A 10.10.26.45 +biganswer.big. 60 IN A 10.10.26.46 +biganswer.big. 60 IN A 10.10.26.47 +biganswer.big. 60 IN A 10.10.26.48 +biganswer.big. 60 IN A 10.10.26.49 +biganswer.big. 60 IN A 10.10.26.50 +biganswer.big. 60 IN A 10.10.27.1 +biganswer.big. 60 IN A 10.10.27.2 +biganswer.big. 60 IN A 10.10.27.3 +biganswer.big. 60 IN A 10.10.27.4 +biganswer.big. 60 IN A 10.10.27.5 +biganswer.big. 60 IN A 10.10.27.6 +biganswer.big. 60 IN A 10.10.27.7 +biganswer.big. 60 IN A 10.10.27.8 +biganswer.big. 60 IN A 10.10.27.9 +biganswer.big. 60 IN A 10.10.27.10 +biganswer.big. 60 IN A 10.10.27.11 +biganswer.big. 60 IN A 10.10.27.12 +biganswer.big. 60 IN A 10.10.27.13 +biganswer.big. 60 IN A 10.10.27.14 +biganswer.big. 60 IN A 10.10.27.15 +biganswer.big. 60 IN A 10.10.27.16 +biganswer.big. 60 IN A 10.10.27.17 +biganswer.big. 60 IN A 10.10.27.18 +biganswer.big. 60 IN A 10.10.27.19 +biganswer.big. 60 IN A 10.10.27.20 +biganswer.big. 60 IN A 10.10.27.21 +biganswer.big. 60 IN A 10.10.27.22 +biganswer.big. 60 IN A 10.10.27.23 +biganswer.big. 60 IN A 10.10.27.24 +biganswer.big. 60 IN A 10.10.27.25 +biganswer.big. 60 IN A 10.10.27.26 +biganswer.big. 60 IN A 10.10.27.27 +biganswer.big. 60 IN A 10.10.27.28 +biganswer.big. 60 IN A 10.10.27.29 +biganswer.big. 60 IN A 10.10.27.30 +biganswer.big. 60 IN A 10.10.27.31 +biganswer.big. 60 IN A 10.10.27.32 +biganswer.big. 60 IN A 10.10.27.33 +biganswer.big. 60 IN A 10.10.27.34 +biganswer.big. 60 IN A 10.10.27.35 +biganswer.big. 60 IN A 10.10.27.36 +biganswer.big. 60 IN A 10.10.27.37 +biganswer.big. 60 IN A 10.10.27.38 +biganswer.big. 60 IN A 10.10.27.39 +biganswer.big. 60 IN A 10.10.27.40 +biganswer.big. 60 IN A 10.10.27.41 +biganswer.big. 60 IN A 10.10.27.42 +biganswer.big. 60 IN A 10.10.27.43 +biganswer.big. 60 IN A 10.10.27.44 +biganswer.big. 60 IN A 10.10.27.45 +biganswer.big. 60 IN A 10.10.27.46 +biganswer.big. 60 IN A 10.10.27.47 +biganswer.big. 60 IN A 10.10.27.48 +biganswer.big. 60 IN A 10.10.27.49 +biganswer.big. 60 IN A 10.10.27.50 +biganswer.big. 60 IN A 10.10.28.1 +biganswer.big. 60 IN A 10.10.28.2 +biganswer.big. 60 IN A 10.10.28.3 +biganswer.big. 60 IN A 10.10.28.4 +biganswer.big. 60 IN A 10.10.28.5 +biganswer.big. 60 IN A 10.10.28.6 +biganswer.big. 60 IN A 10.10.28.7 +biganswer.big. 60 IN A 10.10.28.8 +biganswer.big. 60 IN A 10.10.28.9 +biganswer.big. 60 IN A 10.10.28.10 +biganswer.big. 60 IN A 10.10.28.11 +biganswer.big. 60 IN A 10.10.28.12 +biganswer.big. 60 IN A 10.10.28.13 +biganswer.big. 60 IN A 10.10.28.14 +biganswer.big. 60 IN A 10.10.28.15 +biganswer.big. 60 IN A 10.10.28.16 +biganswer.big. 60 IN A 10.10.28.17 +biganswer.big. 60 IN A 10.10.28.18 +biganswer.big. 60 IN A 10.10.28.19 +biganswer.big. 60 IN A 10.10.28.20 +biganswer.big. 60 IN A 10.10.28.21 +biganswer.big. 60 IN A 10.10.28.22 +biganswer.big. 60 IN A 10.10.28.23 +biganswer.big. 60 IN A 10.10.28.24 +biganswer.big. 60 IN A 10.10.28.25 +biganswer.big. 60 IN A 10.10.28.26 +biganswer.big. 60 IN A 10.10.28.27 +biganswer.big. 60 IN A 10.10.28.28 +biganswer.big. 60 IN A 10.10.28.29 +biganswer.big. 60 IN A 10.10.28.30 +biganswer.big. 60 IN A 10.10.28.31 +biganswer.big. 60 IN A 10.10.28.32 +biganswer.big. 60 IN A 10.10.28.33 +biganswer.big. 60 IN A 10.10.28.34 +biganswer.big. 60 IN A 10.10.28.35 +biganswer.big. 60 IN A 10.10.28.36 +biganswer.big. 60 IN A 10.10.28.37 +biganswer.big. 60 IN A 10.10.28.38 +biganswer.big. 60 IN A 10.10.28.39 +biganswer.big. 60 IN A 10.10.28.40 +biganswer.big. 60 IN A 10.10.28.41 +biganswer.big. 60 IN A 10.10.28.42 +biganswer.big. 60 IN A 10.10.28.43 +biganswer.big. 60 IN A 10.10.28.44 +biganswer.big. 60 IN A 10.10.28.45 +biganswer.big. 60 IN A 10.10.28.46 +biganswer.big. 60 IN A 10.10.28.47 +biganswer.big. 60 IN A 10.10.28.48 +biganswer.big. 60 IN A 10.10.28.49 +biganswer.big. 60 IN A 10.10.28.50 +biganswer.big. 60 IN A 10.10.29.1 +biganswer.big. 60 IN A 10.10.29.2 +biganswer.big. 60 IN A 10.10.29.3 +biganswer.big. 60 IN A 10.10.29.4 +biganswer.big. 60 IN A 10.10.29.5 +biganswer.big. 60 IN A 10.10.29.6 +biganswer.big. 60 IN A 10.10.29.7 +biganswer.big. 60 IN A 10.10.29.8 +biganswer.big. 60 IN A 10.10.29.9 +biganswer.big. 60 IN A 10.10.29.10 +biganswer.big. 60 IN A 10.10.29.11 +biganswer.big. 60 IN A 10.10.29.12 +biganswer.big. 60 IN A 10.10.29.13 +biganswer.big. 60 IN A 10.10.29.14 +biganswer.big. 60 IN A 10.10.29.15 +biganswer.big. 60 IN A 10.10.29.16 +biganswer.big. 60 IN A 10.10.29.17 +biganswer.big. 60 IN A 10.10.29.18 +biganswer.big. 60 IN A 10.10.29.19 +biganswer.big. 60 IN A 10.10.29.20 +biganswer.big. 60 IN A 10.10.29.21 +biganswer.big. 60 IN A 10.10.29.22 +biganswer.big. 60 IN A 10.10.29.23 +biganswer.big. 60 IN A 10.10.29.24 +biganswer.big. 60 IN A 10.10.29.25 +biganswer.big. 60 IN A 10.10.29.26 +biganswer.big. 60 IN A 10.10.29.27 +biganswer.big. 60 IN A 10.10.29.28 +biganswer.big. 60 IN A 10.10.29.29 +biganswer.big. 60 IN A 10.10.29.30 +biganswer.big. 60 IN A 10.10.29.31 +biganswer.big. 60 IN A 10.10.29.32 +biganswer.big. 60 IN A 10.10.29.33 +biganswer.big. 60 IN A 10.10.29.34 +biganswer.big. 60 IN A 10.10.29.35 +biganswer.big. 60 IN A 10.10.29.36 +biganswer.big. 60 IN A 10.10.29.37 +biganswer.big. 60 IN A 10.10.29.38 +biganswer.big. 60 IN A 10.10.29.39 +biganswer.big. 60 IN A 10.10.29.40 +biganswer.big. 60 IN A 10.10.29.41 +biganswer.big. 60 IN A 10.10.29.42 +biganswer.big. 60 IN A 10.10.29.43 +biganswer.big. 60 IN A 10.10.29.44 +biganswer.big. 60 IN A 10.10.29.45 +biganswer.big. 60 IN A 10.10.29.46 +biganswer.big. 60 IN A 10.10.29.47 +biganswer.big. 60 IN A 10.10.29.48 +biganswer.big. 60 IN A 10.10.29.49 +biganswer.big. 60 IN A 10.10.29.50 +biganswer.big. 60 IN A 10.10.30.1 +biganswer.big. 60 IN A 10.10.30.2 +biganswer.big. 60 IN A 10.10.30.3 +biganswer.big. 60 IN A 10.10.30.4 +biganswer.big. 60 IN A 10.10.30.5 +biganswer.big. 60 IN A 10.10.30.6 +biganswer.big. 60 IN A 10.10.30.7 +biganswer.big. 60 IN A 10.10.30.8 +biganswer.big. 60 IN A 10.10.30.9 +biganswer.big. 60 IN A 10.10.30.10 +biganswer.big. 60 IN A 10.10.30.11 +biganswer.big. 60 IN A 10.10.30.12 +biganswer.big. 60 IN A 10.10.30.13 +biganswer.big. 60 IN A 10.10.30.14 +biganswer.big. 60 IN A 10.10.30.15 +biganswer.big. 60 IN A 10.10.30.16 +biganswer.big. 60 IN A 10.10.30.17 +biganswer.big. 60 IN A 10.10.30.18 +biganswer.big. 60 IN A 10.10.30.19 +biganswer.big. 60 IN A 10.10.30.20 +biganswer.big. 60 IN A 10.10.30.21 +biganswer.big. 60 IN A 10.10.30.22 +biganswer.big. 60 IN A 10.10.30.23 +biganswer.big. 60 IN A 10.10.30.24 +biganswer.big. 60 IN A 10.10.30.25 +biganswer.big. 60 IN A 10.10.30.26 +biganswer.big. 60 IN A 10.10.30.27 +biganswer.big. 60 IN A 10.10.30.28 +biganswer.big. 60 IN A 10.10.30.29 +biganswer.big. 60 IN A 10.10.30.30 +biganswer.big. 60 IN A 10.10.30.31 +biganswer.big. 60 IN A 10.10.30.32 +biganswer.big. 60 IN A 10.10.30.33 +biganswer.big. 60 IN A 10.10.30.34 +biganswer.big. 60 IN A 10.10.30.35 +biganswer.big. 60 IN A 10.10.30.36 +biganswer.big. 60 IN A 10.10.30.37 +biganswer.big. 60 IN A 10.10.30.38 +biganswer.big. 60 IN A 10.10.30.39 +biganswer.big. 60 IN A 10.10.30.40 +biganswer.big. 60 IN A 10.10.30.41 +biganswer.big. 60 IN A 10.10.30.42 +biganswer.big. 60 IN A 10.10.30.43 +biganswer.big. 60 IN A 10.10.30.44 +biganswer.big. 60 IN A 10.10.30.45 +biganswer.big. 60 IN A 10.10.30.46 +biganswer.big. 60 IN A 10.10.30.47 +biganswer.big. 60 IN A 10.10.30.48 +biganswer.big. 60 IN A 10.10.30.49 +biganswer.big. 60 IN A 10.10.30.50 +biganswer.big. 60 IN A 10.10.31.1 +biganswer.big. 60 IN A 10.10.31.2 +biganswer.big. 60 IN A 10.10.31.3 +biganswer.big. 60 IN A 10.10.31.4 +biganswer.big. 60 IN A 10.10.31.5 +biganswer.big. 60 IN A 10.10.31.6 +biganswer.big. 60 IN A 10.10.31.7 +biganswer.big. 60 IN A 10.10.31.8 +biganswer.big. 60 IN A 10.10.31.9 +biganswer.big. 60 IN A 10.10.31.10 +biganswer.big. 60 IN A 10.10.31.11 +biganswer.big. 60 IN A 10.10.31.12 +biganswer.big. 60 IN A 10.10.31.13 +biganswer.big. 60 IN A 10.10.31.14 +biganswer.big. 60 IN A 10.10.31.15 +biganswer.big. 60 IN A 10.10.31.16 +biganswer.big. 60 IN A 10.10.31.17 +biganswer.big. 60 IN A 10.10.31.18 +biganswer.big. 60 IN A 10.10.31.19 +biganswer.big. 60 IN A 10.10.31.20 +biganswer.big. 60 IN A 10.10.31.21 +biganswer.big. 60 IN A 10.10.31.22 +biganswer.big. 60 IN A 10.10.31.23 +biganswer.big. 60 IN A 10.10.31.24 +biganswer.big. 60 IN A 10.10.31.25 +biganswer.big. 60 IN A 10.10.31.26 +biganswer.big. 60 IN A 10.10.31.27 +biganswer.big. 60 IN A 10.10.31.28 +biganswer.big. 60 IN A 10.10.31.29 +biganswer.big. 60 IN A 10.10.31.30 +biganswer.big. 60 IN A 10.10.31.31 +biganswer.big. 60 IN A 10.10.31.32 +biganswer.big. 60 IN A 10.10.31.33 +biganswer.big. 60 IN A 10.10.31.34 +biganswer.big. 60 IN A 10.10.31.35 +biganswer.big. 60 IN A 10.10.31.36 +biganswer.big. 60 IN A 10.10.31.37 +biganswer.big. 60 IN A 10.10.31.38 +biganswer.big. 60 IN A 10.10.31.39 +biganswer.big. 60 IN A 10.10.31.40 +biganswer.big. 60 IN A 10.10.31.41 +biganswer.big. 60 IN A 10.10.31.42 +biganswer.big. 60 IN A 10.10.31.43 +biganswer.big. 60 IN A 10.10.31.44 +biganswer.big. 60 IN A 10.10.31.45 +biganswer.big. 60 IN A 10.10.31.46 +biganswer.big. 60 IN A 10.10.31.47 +biganswer.big. 60 IN A 10.10.31.48 +biganswer.big. 60 IN A 10.10.31.49 +biganswer.big. 60 IN A 10.10.31.50 +biganswer.big. 60 IN A 10.10.32.1 +biganswer.big. 60 IN A 10.10.32.2 +biganswer.big. 60 IN A 10.10.32.3 +biganswer.big. 60 IN A 10.10.32.4 +biganswer.big. 60 IN A 10.10.32.5 +biganswer.big. 60 IN A 10.10.32.6 +biganswer.big. 60 IN A 10.10.32.7 +biganswer.big. 60 IN A 10.10.32.8 +biganswer.big. 60 IN A 10.10.32.9 +biganswer.big. 60 IN A 10.10.32.10 +biganswer.big. 60 IN A 10.10.32.11 +biganswer.big. 60 IN A 10.10.32.12 +biganswer.big. 60 IN A 10.10.32.13 +biganswer.big. 60 IN A 10.10.32.14 +biganswer.big. 60 IN A 10.10.32.15 +biganswer.big. 60 IN A 10.10.32.16 +biganswer.big. 60 IN A 10.10.32.17 +biganswer.big. 60 IN A 10.10.32.18 +biganswer.big. 60 IN A 10.10.32.19 +biganswer.big. 60 IN A 10.10.32.20 +biganswer.big. 60 IN A 10.10.32.21 +biganswer.big. 60 IN A 10.10.32.22 +biganswer.big. 60 IN A 10.10.32.23 +biganswer.big. 60 IN A 10.10.32.24 +biganswer.big. 60 IN A 10.10.32.25 +biganswer.big. 60 IN A 10.10.32.26 +biganswer.big. 60 IN A 10.10.32.27 +biganswer.big. 60 IN A 10.10.32.28 +biganswer.big. 60 IN A 10.10.32.29 +biganswer.big. 60 IN A 10.10.32.30 +biganswer.big. 60 IN A 10.10.32.31 +biganswer.big. 60 IN A 10.10.32.32 +biganswer.big. 60 IN A 10.10.32.33 +biganswer.big. 60 IN A 10.10.32.34 +biganswer.big. 60 IN A 10.10.32.35 +biganswer.big. 60 IN A 10.10.32.36 +biganswer.big. 60 IN A 10.10.32.37 +biganswer.big. 60 IN A 10.10.32.38 +biganswer.big. 60 IN A 10.10.32.39 +biganswer.big. 60 IN A 10.10.32.40 +biganswer.big. 60 IN A 10.10.32.41 +biganswer.big. 60 IN A 10.10.32.42 +biganswer.big. 60 IN A 10.10.32.43 +biganswer.big. 60 IN A 10.10.32.44 +biganswer.big. 60 IN A 10.10.32.45 +biganswer.big. 60 IN A 10.10.32.46 +biganswer.big. 60 IN A 10.10.32.47 +biganswer.big. 60 IN A 10.10.32.48 +biganswer.big. 60 IN A 10.10.32.49 +biganswer.big. 60 IN A 10.10.32.50 +biganswer.big. 60 IN A 10.10.33.1 +biganswer.big. 60 IN A 10.10.33.2 +biganswer.big. 60 IN A 10.10.33.3 +biganswer.big. 60 IN A 10.10.33.4 +biganswer.big. 60 IN A 10.10.33.5 +biganswer.big. 60 IN A 10.10.33.6 +biganswer.big. 60 IN A 10.10.33.7 +biganswer.big. 60 IN A 10.10.33.8 +biganswer.big. 60 IN A 10.10.33.9 +biganswer.big. 60 IN A 10.10.33.10 +biganswer.big. 60 IN A 10.10.33.11 +biganswer.big. 60 IN A 10.10.33.12 +biganswer.big. 60 IN A 10.10.33.13 +biganswer.big. 60 IN A 10.10.33.14 +biganswer.big. 60 IN A 10.10.33.15 +biganswer.big. 60 IN A 10.10.33.16 +biganswer.big. 60 IN A 10.10.33.17 +biganswer.big. 60 IN A 10.10.33.18 +biganswer.big. 60 IN A 10.10.33.19 +biganswer.big. 60 IN A 10.10.33.20 +biganswer.big. 60 IN A 10.10.33.21 +biganswer.big. 60 IN A 10.10.33.22 +biganswer.big. 60 IN A 10.10.33.23 +biganswer.big. 60 IN A 10.10.33.24 +biganswer.big. 60 IN A 10.10.33.25 +biganswer.big. 60 IN A 10.10.33.26 +biganswer.big. 60 IN A 10.10.33.27 +biganswer.big. 60 IN A 10.10.33.28 +biganswer.big. 60 IN A 10.10.33.29 +biganswer.big. 60 IN A 10.10.33.30 +biganswer.big. 60 IN A 10.10.33.31 +biganswer.big. 60 IN A 10.10.33.32 +biganswer.big. 60 IN A 10.10.33.33 +biganswer.big. 60 IN A 10.10.33.34 +biganswer.big. 60 IN A 10.10.33.35 +biganswer.big. 60 IN A 10.10.33.36 +biganswer.big. 60 IN A 10.10.33.37 +biganswer.big. 60 IN A 10.10.33.38 +biganswer.big. 60 IN A 10.10.33.39 +biganswer.big. 60 IN A 10.10.33.40 +biganswer.big. 60 IN A 10.10.33.41 +biganswer.big. 60 IN A 10.10.33.42 +biganswer.big. 60 IN A 10.10.33.43 +biganswer.big. 60 IN A 10.10.33.44 +biganswer.big. 60 IN A 10.10.33.45 +biganswer.big. 60 IN A 10.10.33.46 +biganswer.big. 60 IN A 10.10.33.47 +biganswer.big. 60 IN A 10.10.33.48 +biganswer.big. 60 IN A 10.10.33.49 +biganswer.big. 60 IN A 10.10.33.50 +biganswer.big. 60 IN A 10.10.34.1 +biganswer.big. 60 IN A 10.10.34.2 +biganswer.big. 60 IN A 10.10.34.3 +biganswer.big. 60 IN A 10.10.34.4 +biganswer.big. 60 IN A 10.10.34.5 +biganswer.big. 60 IN A 10.10.34.6 +biganswer.big. 60 IN A 10.10.34.7 +biganswer.big. 60 IN A 10.10.34.8 +biganswer.big. 60 IN A 10.10.34.9 +biganswer.big. 60 IN A 10.10.34.10 +biganswer.big. 60 IN A 10.10.34.11 +biganswer.big. 60 IN A 10.10.34.12 +biganswer.big. 60 IN A 10.10.34.13 +biganswer.big. 60 IN A 10.10.34.14 +biganswer.big. 60 IN A 10.10.34.15 +biganswer.big. 60 IN A 10.10.34.16 +biganswer.big. 60 IN A 10.10.34.17 +biganswer.big. 60 IN A 10.10.34.18 +biganswer.big. 60 IN A 10.10.34.19 +biganswer.big. 60 IN A 10.10.34.20 +biganswer.big. 60 IN A 10.10.34.21 +biganswer.big. 60 IN A 10.10.34.22 +biganswer.big. 60 IN A 10.10.34.23 +biganswer.big. 60 IN A 10.10.34.24 +biganswer.big. 60 IN A 10.10.34.25 +biganswer.big. 60 IN A 10.10.34.26 +biganswer.big. 60 IN A 10.10.34.27 +biganswer.big. 60 IN A 10.10.34.28 +biganswer.big. 60 IN A 10.10.34.29 +biganswer.big. 60 IN A 10.10.34.30 +biganswer.big. 60 IN A 10.10.34.31 +biganswer.big. 60 IN A 10.10.34.32 +biganswer.big. 60 IN A 10.10.34.33 +biganswer.big. 60 IN A 10.10.34.34 +biganswer.big. 60 IN A 10.10.34.35 +biganswer.big. 60 IN A 10.10.34.36 +biganswer.big. 60 IN A 10.10.34.37 +biganswer.big. 60 IN A 10.10.34.38 +biganswer.big. 60 IN A 10.10.34.39 +biganswer.big. 60 IN A 10.10.34.40 +biganswer.big. 60 IN A 10.10.34.41 +biganswer.big. 60 IN A 10.10.34.42 +biganswer.big. 60 IN A 10.10.34.43 +biganswer.big. 60 IN A 10.10.34.44 +biganswer.big. 60 IN A 10.10.34.45 +biganswer.big. 60 IN A 10.10.34.46 +biganswer.big. 60 IN A 10.10.34.47 +biganswer.big. 60 IN A 10.10.34.48 +biganswer.big. 60 IN A 10.10.34.49 +biganswer.big. 60 IN A 10.10.34.50 +biganswer.big. 60 IN A 10.10.35.1 +biganswer.big. 60 IN A 10.10.35.2 +biganswer.big. 60 IN A 10.10.35.3 +biganswer.big. 60 IN A 10.10.35.4 +biganswer.big. 60 IN A 10.10.35.5 +biganswer.big. 60 IN A 10.10.35.6 +biganswer.big. 60 IN A 10.10.35.7 +biganswer.big. 60 IN A 10.10.35.8 +biganswer.big. 60 IN A 10.10.35.9 +biganswer.big. 60 IN A 10.10.35.10 +biganswer.big. 60 IN A 10.10.35.11 +biganswer.big. 60 IN A 10.10.35.12 +biganswer.big. 60 IN A 10.10.35.13 +biganswer.big. 60 IN A 10.10.35.14 +biganswer.big. 60 IN A 10.10.35.15 +biganswer.big. 60 IN A 10.10.35.16 +biganswer.big. 60 IN A 10.10.35.17 +biganswer.big. 60 IN A 10.10.35.18 +biganswer.big. 60 IN A 10.10.35.19 +biganswer.big. 60 IN A 10.10.35.20 +biganswer.big. 60 IN A 10.10.35.21 +biganswer.big. 60 IN A 10.10.35.22 +biganswer.big. 60 IN A 10.10.35.23 +biganswer.big. 60 IN A 10.10.35.24 +biganswer.big. 60 IN A 10.10.35.25 +biganswer.big. 60 IN A 10.10.35.26 +biganswer.big. 60 IN A 10.10.35.27 +biganswer.big. 60 IN A 10.10.35.28 +biganswer.big. 60 IN A 10.10.35.29 +biganswer.big. 60 IN A 10.10.35.30 +biganswer.big. 60 IN A 10.10.35.31 +biganswer.big. 60 IN A 10.10.35.32 +biganswer.big. 60 IN A 10.10.35.33 +biganswer.big. 60 IN A 10.10.35.34 +biganswer.big. 60 IN A 10.10.35.35 +biganswer.big. 60 IN A 10.10.35.36 +biganswer.big. 60 IN A 10.10.35.37 +biganswer.big. 60 IN A 10.10.35.38 +biganswer.big. 60 IN A 10.10.35.39 +biganswer.big. 60 IN A 10.10.35.40 +biganswer.big. 60 IN A 10.10.35.41 +biganswer.big. 60 IN A 10.10.35.42 +biganswer.big. 60 IN A 10.10.35.43 +biganswer.big. 60 IN A 10.10.35.44 +biganswer.big. 60 IN A 10.10.35.45 +biganswer.big. 60 IN A 10.10.35.46 +biganswer.big. 60 IN A 10.10.35.47 +biganswer.big. 60 IN A 10.10.35.48 +biganswer.big. 60 IN A 10.10.35.49 +biganswer.big. 60 IN A 10.10.35.50 +biganswer.big. 60 IN A 10.10.36.1 +biganswer.big. 60 IN A 10.10.36.2 +biganswer.big. 60 IN A 10.10.36.3 +biganswer.big. 60 IN A 10.10.36.4 +biganswer.big. 60 IN A 10.10.36.5 +biganswer.big. 60 IN A 10.10.36.6 +biganswer.big. 60 IN A 10.10.36.7 +biganswer.big. 60 IN A 10.10.36.8 +biganswer.big. 60 IN A 10.10.36.9 +biganswer.big. 60 IN A 10.10.36.10 +biganswer.big. 60 IN A 10.10.36.11 +biganswer.big. 60 IN A 10.10.36.12 +biganswer.big. 60 IN A 10.10.36.13 +biganswer.big. 60 IN A 10.10.36.14 +biganswer.big. 60 IN A 10.10.36.15 +biganswer.big. 60 IN A 10.10.36.16 +biganswer.big. 60 IN A 10.10.36.17 +biganswer.big. 60 IN A 10.10.36.18 +biganswer.big. 60 IN A 10.10.36.19 +biganswer.big. 60 IN A 10.10.36.20 +biganswer.big. 60 IN A 10.10.36.21 +biganswer.big. 60 IN A 10.10.36.22 +biganswer.big. 60 IN A 10.10.36.23 +biganswer.big. 60 IN A 10.10.36.24 +biganswer.big. 60 IN A 10.10.36.25 +biganswer.big. 60 IN A 10.10.36.26 +biganswer.big. 60 IN A 10.10.36.27 +biganswer.big. 60 IN A 10.10.36.28 +biganswer.big. 60 IN A 10.10.36.29 +biganswer.big. 60 IN A 10.10.36.30 +biganswer.big. 60 IN A 10.10.36.31 +biganswer.big. 60 IN A 10.10.36.32 +biganswer.big. 60 IN A 10.10.36.33 +biganswer.big. 60 IN A 10.10.36.34 +biganswer.big. 60 IN A 10.10.36.35 +biganswer.big. 60 IN A 10.10.36.36 +biganswer.big. 60 IN A 10.10.36.37 +biganswer.big. 60 IN A 10.10.36.38 +biganswer.big. 60 IN A 10.10.36.39 +biganswer.big. 60 IN A 10.10.36.40 +biganswer.big. 60 IN A 10.10.36.41 +biganswer.big. 60 IN A 10.10.36.42 +biganswer.big. 60 IN A 10.10.36.43 +biganswer.big. 60 IN A 10.10.36.44 +biganswer.big. 60 IN A 10.10.36.45 +biganswer.big. 60 IN A 10.10.36.46 +biganswer.big. 60 IN A 10.10.36.47 +biganswer.big. 60 IN A 10.10.36.48 +biganswer.big. 60 IN A 10.10.36.49 +biganswer.big. 60 IN A 10.10.36.50 +biganswer.big. 60 IN A 10.10.37.1 +biganswer.big. 60 IN A 10.10.37.2 +biganswer.big. 60 IN A 10.10.37.3 +biganswer.big. 60 IN A 10.10.37.4 +biganswer.big. 60 IN A 10.10.37.5 +biganswer.big. 60 IN A 10.10.37.6 +biganswer.big. 60 IN A 10.10.37.7 +biganswer.big. 60 IN A 10.10.37.8 +biganswer.big. 60 IN A 10.10.37.9 +biganswer.big. 60 IN A 10.10.37.10 +biganswer.big. 60 IN A 10.10.37.11 +biganswer.big. 60 IN A 10.10.37.12 +biganswer.big. 60 IN A 10.10.37.13 +biganswer.big. 60 IN A 10.10.37.14 +biganswer.big. 60 IN A 10.10.37.15 +biganswer.big. 60 IN A 10.10.37.16 +biganswer.big. 60 IN A 10.10.37.17 +biganswer.big. 60 IN A 10.10.37.18 +biganswer.big. 60 IN A 10.10.37.19 +biganswer.big. 60 IN A 10.10.37.20 +biganswer.big. 60 IN A 10.10.37.21 +biganswer.big. 60 IN A 10.10.37.22 +biganswer.big. 60 IN A 10.10.37.23 +biganswer.big. 60 IN A 10.10.37.24 +biganswer.big. 60 IN A 10.10.37.25 +biganswer.big. 60 IN A 10.10.37.26 +biganswer.big. 60 IN A 10.10.37.27 +biganswer.big. 60 IN A 10.10.37.28 +biganswer.big. 60 IN A 10.10.37.29 +biganswer.big. 60 IN A 10.10.37.30 +biganswer.big. 60 IN A 10.10.37.31 +biganswer.big. 60 IN A 10.10.37.32 +biganswer.big. 60 IN A 10.10.37.33 +biganswer.big. 60 IN A 10.10.37.34 +biganswer.big. 60 IN A 10.10.37.35 +biganswer.big. 60 IN A 10.10.37.36 +biganswer.big. 60 IN A 10.10.37.37 +biganswer.big. 60 IN A 10.10.37.38 +biganswer.big. 60 IN A 10.10.37.39 +biganswer.big. 60 IN A 10.10.37.40 +biganswer.big. 60 IN A 10.10.37.41 +biganswer.big. 60 IN A 10.10.37.42 +biganswer.big. 60 IN A 10.10.37.43 +biganswer.big. 60 IN A 10.10.37.44 +biganswer.big. 60 IN A 10.10.37.45 +biganswer.big. 60 IN A 10.10.37.46 +biganswer.big. 60 IN A 10.10.37.47 +biganswer.big. 60 IN A 10.10.37.48 +biganswer.big. 60 IN A 10.10.37.49 +biganswer.big. 60 IN A 10.10.37.50 +biganswer.big. 60 IN A 10.10.38.1 +biganswer.big. 60 IN A 10.10.38.2 +biganswer.big. 60 IN A 10.10.38.3 +biganswer.big. 60 IN A 10.10.38.4 +biganswer.big. 60 IN A 10.10.38.5 +biganswer.big. 60 IN A 10.10.38.6 +biganswer.big. 60 IN A 10.10.38.7 +biganswer.big. 60 IN A 10.10.38.8 +biganswer.big. 60 IN A 10.10.38.9 +biganswer.big. 60 IN A 10.10.38.10 +biganswer.big. 60 IN A 10.10.38.11 +biganswer.big. 60 IN A 10.10.38.12 +biganswer.big. 60 IN A 10.10.38.13 +biganswer.big. 60 IN A 10.10.38.14 +biganswer.big. 60 IN A 10.10.38.15 +biganswer.big. 60 IN A 10.10.38.16 +biganswer.big. 60 IN A 10.10.38.17 +biganswer.big. 60 IN A 10.10.38.18 +biganswer.big. 60 IN A 10.10.38.19 +biganswer.big. 60 IN A 10.10.38.20 +biganswer.big. 60 IN A 10.10.38.21 +biganswer.big. 60 IN A 10.10.38.22 +biganswer.big. 60 IN A 10.10.38.23 +biganswer.big. 60 IN A 10.10.38.24 +biganswer.big. 60 IN A 10.10.38.25 +biganswer.big. 60 IN A 10.10.38.26 +biganswer.big. 60 IN A 10.10.38.27 +biganswer.big. 60 IN A 10.10.38.28 +biganswer.big. 60 IN A 10.10.38.29 +biganswer.big. 60 IN A 10.10.38.30 +biganswer.big. 60 IN A 10.10.38.31 +biganswer.big. 60 IN A 10.10.38.32 +biganswer.big. 60 IN A 10.10.38.33 +biganswer.big. 60 IN A 10.10.38.34 +biganswer.big. 60 IN A 10.10.38.35 +biganswer.big. 60 IN A 10.10.38.36 +biganswer.big. 60 IN A 10.10.38.37 +biganswer.big. 60 IN A 10.10.38.38 +biganswer.big. 60 IN A 10.10.38.39 +biganswer.big. 60 IN A 10.10.38.40 +biganswer.big. 60 IN A 10.10.38.41 +biganswer.big. 60 IN A 10.10.38.42 +biganswer.big. 60 IN A 10.10.38.43 +biganswer.big. 60 IN A 10.10.38.44 +biganswer.big. 60 IN A 10.10.38.45 +biganswer.big. 60 IN A 10.10.38.46 +biganswer.big. 60 IN A 10.10.38.47 +biganswer.big. 60 IN A 10.10.38.48 +biganswer.big. 60 IN A 10.10.38.49 +biganswer.big. 60 IN A 10.10.38.50 +biganswer.big. 60 IN A 10.10.39.1 +biganswer.big. 60 IN A 10.10.39.2 +biganswer.big. 60 IN A 10.10.39.3 +biganswer.big. 60 IN A 10.10.39.4 +biganswer.big. 60 IN A 10.10.39.5 +biganswer.big. 60 IN A 10.10.39.6 +biganswer.big. 60 IN A 10.10.39.7 +biganswer.big. 60 IN A 10.10.39.8 +biganswer.big. 60 IN A 10.10.39.9 +biganswer.big. 60 IN A 10.10.39.10 +biganswer.big. 60 IN A 10.10.39.11 +biganswer.big. 60 IN A 10.10.39.12 +biganswer.big. 60 IN A 10.10.39.13 +biganswer.big. 60 IN A 10.10.39.14 +biganswer.big. 60 IN A 10.10.39.15 +biganswer.big. 60 IN A 10.10.39.16 +biganswer.big. 60 IN A 10.10.39.17 +biganswer.big. 60 IN A 10.10.39.18 +biganswer.big. 60 IN A 10.10.39.19 +biganswer.big. 60 IN A 10.10.39.20 +biganswer.big. 60 IN A 10.10.39.21 +biganswer.big. 60 IN A 10.10.39.22 +biganswer.big. 60 IN A 10.10.39.23 +biganswer.big. 60 IN A 10.10.39.24 +biganswer.big. 60 IN A 10.10.39.25 +biganswer.big. 60 IN A 10.10.39.26 +biganswer.big. 60 IN A 10.10.39.27 +biganswer.big. 60 IN A 10.10.39.28 +biganswer.big. 60 IN A 10.10.39.29 +biganswer.big. 60 IN A 10.10.39.30 +biganswer.big. 60 IN A 10.10.39.31 +biganswer.big. 60 IN A 10.10.39.32 +biganswer.big. 60 IN A 10.10.39.33 +biganswer.big. 60 IN A 10.10.39.34 +biganswer.big. 60 IN A 10.10.39.35 +biganswer.big. 60 IN A 10.10.39.36 +biganswer.big. 60 IN A 10.10.39.37 +biganswer.big. 60 IN A 10.10.39.38 +biganswer.big. 60 IN A 10.10.39.39 +biganswer.big. 60 IN A 10.10.39.40 +biganswer.big. 60 IN A 10.10.39.41 +biganswer.big. 60 IN A 10.10.39.42 +biganswer.big. 60 IN A 10.10.39.43 +biganswer.big. 60 IN A 10.10.39.44 +biganswer.big. 60 IN A 10.10.39.45 +biganswer.big. 60 IN A 10.10.39.46 +biganswer.big. 60 IN A 10.10.39.47 +biganswer.big. 60 IN A 10.10.39.48 +biganswer.big. 60 IN A 10.10.39.49 +biganswer.big. 60 IN A 10.10.39.50 +biganswer.big. 60 IN A 10.10.40.1 +biganswer.big. 60 IN A 10.10.40.2 +biganswer.big. 60 IN A 10.10.40.3 +biganswer.big. 60 IN A 10.10.40.4 +biganswer.big. 60 IN A 10.10.40.5 +biganswer.big. 60 IN A 10.10.40.6 +biganswer.big. 60 IN A 10.10.40.7 +biganswer.big. 60 IN A 10.10.40.8 +biganswer.big. 60 IN A 10.10.40.9 +biganswer.big. 60 IN A 10.10.40.10 +biganswer.big. 60 IN A 10.10.40.11 +biganswer.big. 60 IN A 10.10.40.12 +biganswer.big. 60 IN A 10.10.40.13 +biganswer.big. 60 IN A 10.10.40.14 +biganswer.big. 60 IN A 10.10.40.15 +biganswer.big. 60 IN A 10.10.40.16 +biganswer.big. 60 IN A 10.10.40.17 +biganswer.big. 60 IN A 10.10.40.18 +biganswer.big. 60 IN A 10.10.40.19 +biganswer.big. 60 IN A 10.10.40.20 +biganswer.big. 60 IN A 10.10.40.21 +biganswer.big. 60 IN A 10.10.40.22 +biganswer.big. 60 IN A 10.10.40.23 +biganswer.big. 60 IN A 10.10.40.24 +biganswer.big. 60 IN A 10.10.40.25 +biganswer.big. 60 IN A 10.10.40.26 +biganswer.big. 60 IN A 10.10.40.27 +biganswer.big. 60 IN A 10.10.40.28 +biganswer.big. 60 IN A 10.10.40.29 +biganswer.big. 60 IN A 10.10.40.30 +biganswer.big. 60 IN A 10.10.40.31 +biganswer.big. 60 IN A 10.10.40.32 +biganswer.big. 60 IN A 10.10.40.33 +biganswer.big. 60 IN A 10.10.40.34 +biganswer.big. 60 IN A 10.10.40.35 +biganswer.big. 60 IN A 10.10.40.36 +biganswer.big. 60 IN A 10.10.40.37 +biganswer.big. 60 IN A 10.10.40.38 +biganswer.big. 60 IN A 10.10.40.39 +biganswer.big. 60 IN A 10.10.40.40 +biganswer.big. 60 IN A 10.10.40.41 +biganswer.big. 60 IN A 10.10.40.42 +biganswer.big. 60 IN A 10.10.40.43 +biganswer.big. 60 IN A 10.10.40.44 +biganswer.big. 60 IN A 10.10.40.45 +biganswer.big. 60 IN A 10.10.40.46 +biganswer.big. 60 IN A 10.10.40.47 +biganswer.big. 60 IN A 10.10.40.48 +biganswer.big. 60 IN A 10.10.40.49 +biganswer.big. 60 IN A 10.10.40.50 +biganswer.big. 60 IN A 10.10.41.1 +biganswer.big. 60 IN A 10.10.41.2 +biganswer.big. 60 IN A 10.10.41.3 +biganswer.big. 60 IN A 10.10.41.4 +biganswer.big. 60 IN A 10.10.41.5 +biganswer.big. 60 IN A 10.10.41.6 +biganswer.big. 60 IN A 10.10.41.7 +biganswer.big. 60 IN A 10.10.41.8 +biganswer.big. 60 IN A 10.10.41.9 +biganswer.big. 60 IN A 10.10.41.10 +biganswer.big. 60 IN A 10.10.41.11 +biganswer.big. 60 IN A 10.10.41.12 +biganswer.big. 60 IN A 10.10.41.13 +biganswer.big. 60 IN A 10.10.41.14 +biganswer.big. 60 IN A 10.10.41.15 +biganswer.big. 60 IN A 10.10.41.16 +biganswer.big. 60 IN A 10.10.41.17 +biganswer.big. 60 IN A 10.10.41.18 +biganswer.big. 60 IN A 10.10.41.19 +biganswer.big. 60 IN A 10.10.41.20 +biganswer.big. 60 IN A 10.10.41.21 +biganswer.big. 60 IN A 10.10.41.22 +biganswer.big. 60 IN A 10.10.41.23 +biganswer.big. 60 IN A 10.10.41.24 +biganswer.big. 60 IN A 10.10.41.25 +biganswer.big. 60 IN A 10.10.41.26 +biganswer.big. 60 IN A 10.10.41.27 +biganswer.big. 60 IN A 10.10.41.28 +biganswer.big. 60 IN A 10.10.41.29 +biganswer.big. 60 IN A 10.10.41.30 +biganswer.big. 60 IN A 10.10.41.31 +biganswer.big. 60 IN A 10.10.41.32 +biganswer.big. 60 IN A 10.10.41.33 +biganswer.big. 60 IN A 10.10.41.34 +biganswer.big. 60 IN A 10.10.41.35 +biganswer.big. 60 IN A 10.10.41.36 +biganswer.big. 60 IN A 10.10.41.37 +biganswer.big. 60 IN A 10.10.41.38 +biganswer.big. 60 IN A 10.10.41.39 +biganswer.big. 60 IN A 10.10.41.40 +biganswer.big. 60 IN A 10.10.41.41 +biganswer.big. 60 IN A 10.10.41.42 +biganswer.big. 60 IN A 10.10.41.43 +biganswer.big. 60 IN A 10.10.41.44 +biganswer.big. 60 IN A 10.10.41.45 +biganswer.big. 60 IN A 10.10.41.46 +biganswer.big. 60 IN A 10.10.41.47 +biganswer.big. 60 IN A 10.10.41.48 +biganswer.big. 60 IN A 10.10.41.49 +biganswer.big. 60 IN A 10.10.41.50 +biganswer.big. 60 IN A 10.10.42.1 +biganswer.big. 60 IN A 10.10.42.2 +biganswer.big. 60 IN A 10.10.42.3 +biganswer.big. 60 IN A 10.10.42.4 +biganswer.big. 60 IN A 10.10.42.5 +biganswer.big. 60 IN A 10.10.42.6 +biganswer.big. 60 IN A 10.10.42.7 +biganswer.big. 60 IN A 10.10.42.8 +biganswer.big. 60 IN A 10.10.42.9 +biganswer.big. 60 IN A 10.10.42.10 +biganswer.big. 60 IN A 10.10.42.11 +biganswer.big. 60 IN A 10.10.42.12 +biganswer.big. 60 IN A 10.10.42.13 +biganswer.big. 60 IN A 10.10.42.14 +biganswer.big. 60 IN A 10.10.42.15 +biganswer.big. 60 IN A 10.10.42.16 +biganswer.big. 60 IN A 10.10.42.17 +biganswer.big. 60 IN A 10.10.42.18 +biganswer.big. 60 IN A 10.10.42.19 +biganswer.big. 60 IN A 10.10.42.20 +biganswer.big. 60 IN A 10.10.42.21 +biganswer.big. 60 IN A 10.10.42.22 +biganswer.big. 60 IN A 10.10.42.23 +biganswer.big. 60 IN A 10.10.42.24 +biganswer.big. 60 IN A 10.10.42.25 +biganswer.big. 60 IN A 10.10.42.26 +biganswer.big. 60 IN A 10.10.42.27 +biganswer.big. 60 IN A 10.10.42.28 +biganswer.big. 60 IN A 10.10.42.29 +biganswer.big. 60 IN A 10.10.42.30 +biganswer.big. 60 IN A 10.10.42.31 +biganswer.big. 60 IN A 10.10.42.32 +biganswer.big. 60 IN A 10.10.42.33 +biganswer.big. 60 IN A 10.10.42.34 +biganswer.big. 60 IN A 10.10.42.35 +biganswer.big. 60 IN A 10.10.42.36 +biganswer.big. 60 IN A 10.10.42.37 +biganswer.big. 60 IN A 10.10.42.38 +biganswer.big. 60 IN A 10.10.42.39 +biganswer.big. 60 IN A 10.10.42.40 +biganswer.big. 60 IN A 10.10.42.41 +biganswer.big. 60 IN A 10.10.42.42 +biganswer.big. 60 IN A 10.10.42.43 +biganswer.big. 60 IN A 10.10.42.44 +biganswer.big. 60 IN A 10.10.42.45 +biganswer.big. 60 IN A 10.10.42.46 +biganswer.big. 60 IN A 10.10.42.47 +biganswer.big. 60 IN A 10.10.42.48 +biganswer.big. 60 IN A 10.10.42.49 +biganswer.big. 60 IN A 10.10.42.50 +biganswer.big. 60 IN A 10.10.43.1 +biganswer.big. 60 IN A 10.10.43.2 +biganswer.big. 60 IN A 10.10.43.3 +biganswer.big. 60 IN A 10.10.43.4 +biganswer.big. 60 IN A 10.10.43.5 +biganswer.big. 60 IN A 10.10.43.6 +biganswer.big. 60 IN A 10.10.43.7 +biganswer.big. 60 IN A 10.10.43.8 +biganswer.big. 60 IN A 10.10.43.9 +biganswer.big. 60 IN A 10.10.43.10 +biganswer.big. 60 IN A 10.10.43.11 +biganswer.big. 60 IN A 10.10.43.12 +biganswer.big. 60 IN A 10.10.43.13 +biganswer.big. 60 IN A 10.10.43.14 +biganswer.big. 60 IN A 10.10.43.15 +biganswer.big. 60 IN A 10.10.43.16 +biganswer.big. 60 IN A 10.10.43.17 +biganswer.big. 60 IN A 10.10.43.18 +biganswer.big. 60 IN A 10.10.43.19 +biganswer.big. 60 IN A 10.10.43.20 +biganswer.big. 60 IN A 10.10.43.21 +biganswer.big. 60 IN A 10.10.43.22 +biganswer.big. 60 IN A 10.10.43.23 +biganswer.big. 60 IN A 10.10.43.24 +biganswer.big. 60 IN A 10.10.43.25 +biganswer.big. 60 IN A 10.10.43.26 +biganswer.big. 60 IN A 10.10.43.27 +biganswer.big. 60 IN A 10.10.43.28 +biganswer.big. 60 IN A 10.10.43.29 +biganswer.big. 60 IN A 10.10.43.30 +biganswer.big. 60 IN A 10.10.43.31 +biganswer.big. 60 IN A 10.10.43.32 +biganswer.big. 60 IN A 10.10.43.33 +biganswer.big. 60 IN A 10.10.43.34 +biganswer.big. 60 IN A 10.10.43.35 +biganswer.big. 60 IN A 10.10.43.36 +biganswer.big. 60 IN A 10.10.43.37 +biganswer.big. 60 IN A 10.10.43.38 +biganswer.big. 60 IN A 10.10.43.39 +biganswer.big. 60 IN A 10.10.43.40 +biganswer.big. 60 IN A 10.10.43.41 +biganswer.big. 60 IN A 10.10.43.42 +biganswer.big. 60 IN A 10.10.43.43 +biganswer.big. 60 IN A 10.10.43.44 +biganswer.big. 60 IN A 10.10.43.45 +biganswer.big. 60 IN A 10.10.43.46 +biganswer.big. 60 IN A 10.10.43.47 +biganswer.big. 60 IN A 10.10.43.48 +biganswer.big. 60 IN A 10.10.43.49 +biganswer.big. 60 IN A 10.10.43.50 +biganswer.big. 60 IN A 10.10.44.1 +biganswer.big. 60 IN A 10.10.44.2 +biganswer.big. 60 IN A 10.10.44.3 +biganswer.big. 60 IN A 10.10.44.4 +biganswer.big. 60 IN A 10.10.44.5 +biganswer.big. 60 IN A 10.10.44.6 +biganswer.big. 60 IN A 10.10.44.7 +biganswer.big. 60 IN A 10.10.44.8 +biganswer.big. 60 IN A 10.10.44.9 +biganswer.big. 60 IN A 10.10.44.10 +biganswer.big. 60 IN A 10.10.44.11 +biganswer.big. 60 IN A 10.10.44.12 +biganswer.big. 60 IN A 10.10.44.13 +biganswer.big. 60 IN A 10.10.44.14 +biganswer.big. 60 IN A 10.10.44.15 +biganswer.big. 60 IN A 10.10.44.16 +biganswer.big. 60 IN A 10.10.44.17 +biganswer.big. 60 IN A 10.10.44.18 +biganswer.big. 60 IN A 10.10.44.19 +biganswer.big. 60 IN A 10.10.44.20 +biganswer.big. 60 IN A 10.10.44.21 +biganswer.big. 60 IN A 10.10.44.22 +biganswer.big. 60 IN A 10.10.44.23 +biganswer.big. 60 IN A 10.10.44.24 +biganswer.big. 60 IN A 10.10.44.25 +biganswer.big. 60 IN A 10.10.44.26 +biganswer.big. 60 IN A 10.10.44.27 +biganswer.big. 60 IN A 10.10.44.28 +biganswer.big. 60 IN A 10.10.44.29 +biganswer.big. 60 IN A 10.10.44.30 +biganswer.big. 60 IN A 10.10.44.31 +biganswer.big. 60 IN A 10.10.44.32 +biganswer.big. 60 IN A 10.10.44.33 +biganswer.big. 60 IN A 10.10.44.34 +biganswer.big. 60 IN A 10.10.44.35 +biganswer.big. 60 IN A 10.10.44.36 +biganswer.big. 60 IN A 10.10.44.37 +biganswer.big. 60 IN A 10.10.44.38 +biganswer.big. 60 IN A 10.10.44.39 +biganswer.big. 60 IN A 10.10.44.40 +biganswer.big. 60 IN A 10.10.44.41 +biganswer.big. 60 IN A 10.10.44.42 +biganswer.big. 60 IN A 10.10.44.43 +biganswer.big. 60 IN A 10.10.44.44 +biganswer.big. 60 IN A 10.10.44.45 +biganswer.big. 60 IN A 10.10.44.46 +biganswer.big. 60 IN A 10.10.44.47 +biganswer.big. 60 IN A 10.10.44.48 +biganswer.big. 60 IN A 10.10.44.49 +biganswer.big. 60 IN A 10.10.44.50 +biganswer.big. 60 IN A 10.10.45.1 +biganswer.big. 60 IN A 10.10.45.2 +biganswer.big. 60 IN A 10.10.45.3 +biganswer.big. 60 IN A 10.10.45.4 +biganswer.big. 60 IN A 10.10.45.5 +biganswer.big. 60 IN A 10.10.45.6 +biganswer.big. 60 IN A 10.10.45.7 +biganswer.big. 60 IN A 10.10.45.8 +biganswer.big. 60 IN A 10.10.45.9 +biganswer.big. 60 IN A 10.10.45.10 +biganswer.big. 60 IN A 10.10.45.11 +biganswer.big. 60 IN A 10.10.45.12 +biganswer.big. 60 IN A 10.10.45.13 +biganswer.big. 60 IN A 10.10.45.14 +biganswer.big. 60 IN A 10.10.45.15 +biganswer.big. 60 IN A 10.10.45.16 +biganswer.big. 60 IN A 10.10.45.17 +biganswer.big. 60 IN A 10.10.45.18 +biganswer.big. 60 IN A 10.10.45.19 +biganswer.big. 60 IN A 10.10.45.20 +biganswer.big. 60 IN A 10.10.45.21 +biganswer.big. 60 IN A 10.10.45.22 +biganswer.big. 60 IN A 10.10.45.23 +biganswer.big. 60 IN A 10.10.45.24 +biganswer.big. 60 IN A 10.10.45.25 +biganswer.big. 60 IN A 10.10.45.26 +biganswer.big. 60 IN A 10.10.45.27 +biganswer.big. 60 IN A 10.10.45.28 +biganswer.big. 60 IN A 10.10.45.29 +biganswer.big. 60 IN A 10.10.45.30 +biganswer.big. 60 IN A 10.10.45.31 +biganswer.big. 60 IN A 10.10.45.32 +biganswer.big. 60 IN A 10.10.45.33 +biganswer.big. 60 IN A 10.10.45.34 +biganswer.big. 60 IN A 10.10.45.35 +biganswer.big. 60 IN A 10.10.45.36 +biganswer.big. 60 IN A 10.10.45.37 +biganswer.big. 60 IN A 10.10.45.38 +biganswer.big. 60 IN A 10.10.45.39 +biganswer.big. 60 IN A 10.10.45.40 +biganswer.big. 60 IN A 10.10.45.41 +biganswer.big. 60 IN A 10.10.45.42 +biganswer.big. 60 IN A 10.10.45.43 +biganswer.big. 60 IN A 10.10.45.44 +biganswer.big. 60 IN A 10.10.45.45 +biganswer.big. 60 IN A 10.10.45.46 +biganswer.big. 60 IN A 10.10.45.47 +biganswer.big. 60 IN A 10.10.45.48 +biganswer.big. 60 IN A 10.10.45.49 +biganswer.big. 60 IN A 10.10.45.50 +biganswer.big. 60 IN A 10.10.46.1 +biganswer.big. 60 IN A 10.10.46.2 +biganswer.big. 60 IN A 10.10.46.3 +biganswer.big. 60 IN A 10.10.46.4 +biganswer.big. 60 IN A 10.10.46.5 +biganswer.big. 60 IN A 10.10.46.6 +biganswer.big. 60 IN A 10.10.46.7 +biganswer.big. 60 IN A 10.10.46.8 +biganswer.big. 60 IN A 10.10.46.9 +biganswer.big. 60 IN A 10.10.46.10 +biganswer.big. 60 IN A 10.10.46.11 +biganswer.big. 60 IN A 10.10.46.12 +biganswer.big. 60 IN A 10.10.46.13 +biganswer.big. 60 IN A 10.10.46.14 +biganswer.big. 60 IN A 10.10.46.15 +biganswer.big. 60 IN A 10.10.46.16 +biganswer.big. 60 IN A 10.10.46.17 +biganswer.big. 60 IN A 10.10.46.18 +biganswer.big. 60 IN A 10.10.46.19 +biganswer.big. 60 IN A 10.10.46.20 +biganswer.big. 60 IN A 10.10.46.21 +biganswer.big. 60 IN A 10.10.46.22 +biganswer.big. 60 IN A 10.10.46.23 +biganswer.big. 60 IN A 10.10.46.24 +biganswer.big. 60 IN A 10.10.46.25 +biganswer.big. 60 IN A 10.10.46.26 +biganswer.big. 60 IN A 10.10.46.27 +biganswer.big. 60 IN A 10.10.46.28 +biganswer.big. 60 IN A 10.10.46.29 +biganswer.big. 60 IN A 10.10.46.30 +biganswer.big. 60 IN A 10.10.46.31 +biganswer.big. 60 IN A 10.10.46.32 +biganswer.big. 60 IN A 10.10.46.33 +biganswer.big. 60 IN A 10.10.46.34 +biganswer.big. 60 IN A 10.10.46.35 +biganswer.big. 60 IN A 10.10.46.36 +biganswer.big. 60 IN A 10.10.46.37 +biganswer.big. 60 IN A 10.10.46.38 +biganswer.big. 60 IN A 10.10.46.39 +biganswer.big. 60 IN A 10.10.46.40 +biganswer.big. 60 IN A 10.10.46.41 +biganswer.big. 60 IN A 10.10.46.42 +biganswer.big. 60 IN A 10.10.46.43 +biganswer.big. 60 IN A 10.10.46.44 +biganswer.big. 60 IN A 10.10.46.45 +biganswer.big. 60 IN A 10.10.46.46 +biganswer.big. 60 IN A 10.10.46.47 +biganswer.big. 60 IN A 10.10.46.48 +biganswer.big. 60 IN A 10.10.46.49 +biganswer.big. 60 IN A 10.10.46.50 +biganswer.big. 60 IN A 10.10.47.1 +biganswer.big. 60 IN A 10.10.47.2 +biganswer.big. 60 IN A 10.10.47.3 +biganswer.big. 60 IN A 10.10.47.4 +biganswer.big. 60 IN A 10.10.47.5 +biganswer.big. 60 IN A 10.10.47.6 +biganswer.big. 60 IN A 10.10.47.7 +biganswer.big. 60 IN A 10.10.47.8 +biganswer.big. 60 IN A 10.10.47.9 +biganswer.big. 60 IN A 10.10.47.10 +biganswer.big. 60 IN A 10.10.47.11 +biganswer.big. 60 IN A 10.10.47.12 +biganswer.big. 60 IN A 10.10.47.13 +biganswer.big. 60 IN A 10.10.47.14 +biganswer.big. 60 IN A 10.10.47.15 +biganswer.big. 60 IN A 10.10.47.16 +biganswer.big. 60 IN A 10.10.47.17 +biganswer.big. 60 IN A 10.10.47.18 +biganswer.big. 60 IN A 10.10.47.19 +biganswer.big. 60 IN A 10.10.47.20 +biganswer.big. 60 IN A 10.10.47.21 +biganswer.big. 60 IN A 10.10.47.22 +biganswer.big. 60 IN A 10.10.47.23 +biganswer.big. 60 IN A 10.10.47.24 +biganswer.big. 60 IN A 10.10.47.25 +biganswer.big. 60 IN A 10.10.47.26 +biganswer.big. 60 IN A 10.10.47.27 +biganswer.big. 60 IN A 10.10.47.28 +biganswer.big. 60 IN A 10.10.47.29 +biganswer.big. 60 IN A 10.10.47.30 +biganswer.big. 60 IN A 10.10.47.31 +biganswer.big. 60 IN A 10.10.47.32 +biganswer.big. 60 IN A 10.10.47.33 +biganswer.big. 60 IN A 10.10.47.34 +biganswer.big. 60 IN A 10.10.47.35 +biganswer.big. 60 IN A 10.10.47.36 +biganswer.big. 60 IN A 10.10.47.37 +biganswer.big. 60 IN A 10.10.47.38 +biganswer.big. 60 IN A 10.10.47.39 +biganswer.big. 60 IN A 10.10.47.40 +biganswer.big. 60 IN A 10.10.47.41 +biganswer.big. 60 IN A 10.10.47.42 +biganswer.big. 60 IN A 10.10.47.43 +biganswer.big. 60 IN A 10.10.47.44 +biganswer.big. 60 IN A 10.10.47.45 +biganswer.big. 60 IN A 10.10.47.46 +biganswer.big. 60 IN A 10.10.47.47 +biganswer.big. 60 IN A 10.10.47.48 +biganswer.big. 60 IN A 10.10.47.49 +biganswer.big. 60 IN A 10.10.47.50 +biganswer.big. 60 IN A 10.10.48.1 +biganswer.big. 60 IN A 10.10.48.2 +biganswer.big. 60 IN A 10.10.48.3 +biganswer.big. 60 IN A 10.10.48.4 +biganswer.big. 60 IN A 10.10.48.5 +biganswer.big. 60 IN A 10.10.48.6 +biganswer.big. 60 IN A 10.10.48.7 +biganswer.big. 60 IN A 10.10.48.8 +biganswer.big. 60 IN A 10.10.48.9 +biganswer.big. 60 IN A 10.10.48.10 +biganswer.big. 60 IN A 10.10.48.11 +biganswer.big. 60 IN A 10.10.48.12 +biganswer.big. 60 IN A 10.10.48.13 +biganswer.big. 60 IN A 10.10.48.14 +biganswer.big. 60 IN A 10.10.48.15 +biganswer.big. 60 IN A 10.10.48.16 +biganswer.big. 60 IN A 10.10.48.17 +biganswer.big. 60 IN A 10.10.48.18 +biganswer.big. 60 IN A 10.10.48.19 +biganswer.big. 60 IN A 10.10.48.20 +biganswer.big. 60 IN A 10.10.48.21 +biganswer.big. 60 IN A 10.10.48.22 +biganswer.big. 60 IN A 10.10.48.23 +biganswer.big. 60 IN A 10.10.48.24 +biganswer.big. 60 IN A 10.10.48.25 +biganswer.big. 60 IN A 10.10.48.26 +biganswer.big. 60 IN A 10.10.48.27 +biganswer.big. 60 IN A 10.10.48.28 +biganswer.big. 60 IN A 10.10.48.29 +biganswer.big. 60 IN A 10.10.48.30 +biganswer.big. 60 IN A 10.10.48.31 +biganswer.big. 60 IN A 10.10.48.32 +biganswer.big. 60 IN A 10.10.48.33 +biganswer.big. 60 IN A 10.10.48.34 +biganswer.big. 60 IN A 10.10.48.35 +biganswer.big. 60 IN A 10.10.48.36 +biganswer.big. 60 IN A 10.10.48.37 +biganswer.big. 60 IN A 10.10.48.38 +biganswer.big. 60 IN A 10.10.48.39 +biganswer.big. 60 IN A 10.10.48.40 +biganswer.big. 60 IN A 10.10.48.41 +biganswer.big. 60 IN A 10.10.48.42 +biganswer.big. 60 IN A 10.10.48.43 +biganswer.big. 60 IN A 10.10.48.44 +biganswer.big. 60 IN A 10.10.48.45 +biganswer.big. 60 IN A 10.10.48.46 +biganswer.big. 60 IN A 10.10.48.47 +biganswer.big. 60 IN A 10.10.48.48 +biganswer.big. 60 IN A 10.10.48.49 +biganswer.big. 60 IN A 10.10.48.50 +biganswer.big. 60 IN A 10.10.49.1 +biganswer.big. 60 IN A 10.10.49.2 +biganswer.big. 60 IN A 10.10.49.3 +biganswer.big. 60 IN A 10.10.49.4 +biganswer.big. 60 IN A 10.10.49.5 +biganswer.big. 60 IN A 10.10.49.6 +biganswer.big. 60 IN A 10.10.49.7 +biganswer.big. 60 IN A 10.10.49.8 +biganswer.big. 60 IN A 10.10.49.9 +biganswer.big. 60 IN A 10.10.49.10 +biganswer.big. 60 IN A 10.10.49.11 +biganswer.big. 60 IN A 10.10.49.12 +biganswer.big. 60 IN A 10.10.49.13 +biganswer.big. 60 IN A 10.10.49.14 +biganswer.big. 60 IN A 10.10.49.15 +biganswer.big. 60 IN A 10.10.49.16 +biganswer.big. 60 IN A 10.10.49.17 +biganswer.big. 60 IN A 10.10.49.18 +biganswer.big. 60 IN A 10.10.49.19 +biganswer.big. 60 IN A 10.10.49.20 +biganswer.big. 60 IN A 10.10.49.21 +biganswer.big. 60 IN A 10.10.49.22 +biganswer.big. 60 IN A 10.10.49.23 +biganswer.big. 60 IN A 10.10.49.24 +biganswer.big. 60 IN A 10.10.49.25 +biganswer.big. 60 IN A 10.10.49.26 +biganswer.big. 60 IN A 10.10.49.27 +biganswer.big. 60 IN A 10.10.49.28 +biganswer.big. 60 IN A 10.10.49.29 +biganswer.big. 60 IN A 10.10.49.30 +biganswer.big. 60 IN A 10.10.49.31 +biganswer.big. 60 IN A 10.10.49.32 +biganswer.big. 60 IN A 10.10.49.33 +biganswer.big. 60 IN A 10.10.49.34 +biganswer.big. 60 IN A 10.10.49.35 +biganswer.big. 60 IN A 10.10.49.36 +biganswer.big. 60 IN A 10.10.49.37 +biganswer.big. 60 IN A 10.10.49.38 +biganswer.big. 60 IN A 10.10.49.39 +biganswer.big. 60 IN A 10.10.49.40 +biganswer.big. 60 IN A 10.10.49.41 +biganswer.big. 60 IN A 10.10.49.42 +biganswer.big. 60 IN A 10.10.49.43 +biganswer.big. 60 IN A 10.10.49.44 +biganswer.big. 60 IN A 10.10.49.45 +biganswer.big. 60 IN A 10.10.49.46 +biganswer.big. 60 IN A 10.10.49.47 +biganswer.big. 60 IN A 10.10.49.48 +biganswer.big. 60 IN A 10.10.49.49 +biganswer.big. 60 IN A 10.10.49.50 +biganswer.big. 60 IN A 10.10.50.1 +biganswer.big. 60 IN A 10.10.50.2 +biganswer.big. 60 IN A 10.10.50.3 +biganswer.big. 60 IN A 10.10.50.4 +biganswer.big. 60 IN A 10.10.50.5 +biganswer.big. 60 IN A 10.10.50.6 +biganswer.big. 60 IN A 10.10.50.7 +biganswer.big. 60 IN A 10.10.50.8 +biganswer.big. 60 IN A 10.10.50.9 +biganswer.big. 60 IN A 10.10.50.10 +biganswer.big. 60 IN A 10.10.50.11 +biganswer.big. 60 IN A 10.10.50.12 +biganswer.big. 60 IN A 10.10.50.13 +biganswer.big. 60 IN A 10.10.50.14 +biganswer.big. 60 IN A 10.10.50.15 +biganswer.big. 60 IN A 10.10.50.16 +biganswer.big. 60 IN A 10.10.50.17 +biganswer.big. 60 IN A 10.10.50.18 +biganswer.big. 60 IN A 10.10.50.19 +biganswer.big. 60 IN A 10.10.50.20 +biganswer.big. 60 IN A 10.10.50.21 +biganswer.big. 60 IN A 10.10.50.22 +biganswer.big. 60 IN A 10.10.50.23 +biganswer.big. 60 IN A 10.10.50.24 +biganswer.big. 60 IN A 10.10.50.25 +biganswer.big. 60 IN A 10.10.50.26 +biganswer.big. 60 IN A 10.10.50.27 +biganswer.big. 60 IN A 10.10.50.28 +biganswer.big. 60 IN A 10.10.50.29 +biganswer.big. 60 IN A 10.10.50.30 +biganswer.big. 60 IN A 10.10.50.31 +biganswer.big. 60 IN A 10.10.50.32 +biganswer.big. 60 IN A 10.10.50.33 +biganswer.big. 60 IN A 10.10.50.34 +biganswer.big. 60 IN A 10.10.50.35 +biganswer.big. 60 IN A 10.10.50.36 +biganswer.big. 60 IN A 10.10.50.37 +biganswer.big. 60 IN A 10.10.50.38 +biganswer.big. 60 IN A 10.10.50.39 +biganswer.big. 60 IN A 10.10.50.40 +biganswer.big. 60 IN A 10.10.50.41 +biganswer.big. 60 IN A 10.10.50.42 +biganswer.big. 60 IN A 10.10.50.43 +biganswer.big. 60 IN A 10.10.50.44 +biganswer.big. 60 IN A 10.10.50.45 +biganswer.big. 60 IN A 10.10.50.46 +biganswer.big. 60 IN A 10.10.50.47 +biganswer.big. 60 IN A 10.10.50.48 +biganswer.big. 60 IN A 10.10.50.49 +biganswer.big. 60 IN A 10.10.50.50 diff --git a/bin/tests/system/reclimit/ns1/named.conf.in b/bin/tests/system/reclimit/ns1/named.conf.in index 63cb706883..c56c0dbf55 100644 --- a/bin/tests/system/reclimit/ns1/named.conf.in +++ b/bin/tests/system/reclimit/ns1/named.conf.in @@ -22,6 +22,12 @@ options { listen-on-v6 { none; }; recursion no; dnssec-validation no; + max-records-per-type 0; }; zone "." { type primary; file "root.db"; }; + +zone "big." { + type primary; + file "big.db"; +}; diff --git a/bin/tests/system/reclimit/ns1/root.db b/bin/tests/system/reclimit/ns1/root.db index 412715cc64..30e175b335 100644 --- a/bin/tests/system/reclimit/ns1/root.db +++ b/bin/tests/system/reclimit/ns1/root.db @@ -19,3 +19,6 @@ example.net. 60 IN NS direct.example.net. direct.example.net. 60 IN A 10.53.0.2 example.com. 60 IN NS direct.example.com. direct.example.com. 60 IN A 10.53.0.4 + +big. in NS ns.big. +ns.big. 60 IN A 10.53.0.1 diff --git a/bin/tests/system/reclimit/ns3/named5.conf.in b/bin/tests/system/reclimit/ns3/named5.conf.in new file mode 100644 index 0000000000..56f704a3c0 --- /dev/null +++ b/bin/tests/system/reclimit/ns3/named5.conf.in @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + servfail-ttl 0; + qname-minimization disabled; + max-recursion-depth 12; + recursion yes; + dnssec-validation yes; + max-records-per-type 0; +}; + +trust-anchors { }; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints.db"; }; diff --git a/bin/tests/system/reclimit/tests.sh b/bin/tests/system/reclimit/tests.sh index 4212e2d590..42e98d90aa 100644 --- a/bin/tests/system/reclimit/tests.sh +++ b/bin/tests/system/reclimit/tests.sh @@ -222,6 +222,16 @@ eval count=$(cat dig.out.3.test$n) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -#grep "duplicate query" ns3/named.run +n=$((n + 1)) +echo_i "checking RRset that exceeds max-records-per-type ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 biganswer.big >dig.out.1.test$n || ret=1 +grep 'status: SERVFAIL' dig.out.1.test$n >/dev/null || ret=1 +ns3_reset ns3/named5.conf.in +$DIG $DIGOPTS @10.53.0.3 biganswer.big >dig.out.2.test$n || ret=1 +grep 'status: NOERROR' dig.out.2.test$n >/dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 52b3d86ef0bb926a0ddd87da5f986a13a6c6d106 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 25 May 2024 11:46:56 +0200 Subject: [PATCH 04/19] Add a limit to the number of RR types for single name Previously, the number of RR types for a single owner name was limited only by the maximum number of the types (64k). As the data structure that holds the RR types for the database node is just a linked list, and there are places where we just walk through the whole list (again and again), adding a large number of RR types for a single owner named with would slow down processing of such name (database node). Add a configurable limit to cap the number of the RR types for a single owner. This is enforced at the database (rbtdb, qpzone, qpcache) level and configured with new max-types-per-name configuration option that can be configured globally, per-view and per-zone. --- bin/named/config.c | 1 + bin/named/server.c | 9 +++++++++ bin/named/zoneconf.c | 8 ++++++++ doc/arm/reference.rst | 15 +++++++++++++++ doc/misc/mirror.zoneopt | 1 + doc/misc/options | 2 ++ doc/misc/primary.zoneopt | 1 + doc/misc/redirect.zoneopt | 1 + doc/misc/secondary.zoneopt | 1 + doc/misc/static-stub.zoneopt | 1 + doc/misc/stub.zoneopt | 1 + lib/dns/cache.c | 12 ++++++++++++ lib/dns/db.c | 9 +++++++++ lib/dns/include/dns/cache.h | 6 ++++++ lib/dns/include/dns/db.h | 18 +++++++++++++++--- lib/dns/include/dns/view.h | 7 +++++++ lib/dns/include/dns/zone.h | 13 +++++++++++++ lib/dns/qpcache.c | 28 +++++++++++++++++++++++++++- lib/dns/qpzone.c | 24 +++++++++++++++++++++++- lib/dns/rbt-cachedb.c | 1 + lib/dns/rbt-zonedb.c | 1 + lib/dns/rbtdb.c | 23 +++++++++++++++++++++++ lib/dns/rbtdb_p.h | 9 ++++++++- lib/dns/view.c | 10 ++++++++++ lib/dns/zone.c | 15 +++++++++++++++ lib/isccfg/namedconf.c | 3 +++ 26 files changed, 214 insertions(+), 6 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index 1943eb1879..732e28e606 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -225,6 +225,7 @@ options {\n\ max-records-per-type 100;\n\ max-refresh-time 2419200; /* 4 weeks */\n\ max-retry-time 1209600; /* 2 weeks */\n\ + max-types-per-name 100;\n\ max-transfer-idle-in 60;\n\ max-transfer-idle-out 60;\n\ max-transfer-time-in 120;\n\ diff --git a/bin/named/server.c b/bin/named/server.c index 6bcd0b5d56..c41f5d9b24 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -5463,6 +5463,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, INSIST(result == ISC_R_SUCCESS); dns_view_setmaxrrperset(view, cfg_obj_asuint32(obj)); + /* + * This is used for the cache and also as a default value + * for zone databases. + */ + obj = NULL; + result = named_config_get(maps, "max-types-per-name", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_view_setmaxtypepername(view, cfg_obj_asuint32(obj)); + obj = NULL; result = named_config_get(maps, "max-recursion-depth", &obj); INSIST(result == ISC_R_SUCCESS); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index f6646e3819..d9b0b90eb3 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1082,6 +1082,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setmaxrrperset(zone, 0); } + obj = NULL; + result = named_config_get(maps, "max-types-per-name", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); + dns_zone_setmaxtypepername(mayberaw, cfg_obj_asuint32(obj)); + if (zone != mayberaw) { + dns_zone_setmaxtypepername(zone, 0); + } + if (raw != NULL && filename != NULL) { #define SIGNED ".signed" size_t signedlen = strlen(filename) + sizeof(SIGNED); diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 0decf3a6e0..1129dce66c 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3696,6 +3696,21 @@ system. a failure. If set to 0, there is no cap on RRset size. The default is 100. +.. namedconf:statement:: max-types-per-name + :tags: server + :short: Sets the maximum number of RR types that can be stored for an owner name + + This sets the maximum number of resource record types that can be stored + for a single owner name in a database. When configured in :namedconf:ref:`options` + or :namedconf:ref:`view`, it controls the cache database, and also sets + the default value for zone databases, which can be overridden by setting + it at the :namedconf:ref:`zone` level + + If set to a positive value, any attempt to cache or to add to a zone an owner + name with more than the specified number of resource record types will result + in a failure. If set to 0, there is no cap on RR types number. The default is + 100. + .. namedconf:statement:: recursive-clients :tags: query :short: Specifies the maximum number of concurrent recursive queries the server can perform. diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt index 4238e689f5..e7cb0b9ccb 100644 --- a/doc/misc/mirror.zoneopt +++ b/doc/misc/mirror.zoneopt @@ -23,6 +23,7 @@ zone [ ] { max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; + max-types-per-name ; min-refresh-time ; min-retry-time ; multi-master ; diff --git a/doc/misc/options b/doc/misc/options index 261d46d093..de24eef2c2 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -194,6 +194,7 @@ options { max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; + max-types-per-name ; max-udp-size ; max-validation-failures-per-fetch ; // experimental max-validations-per-fetch ; // experimental @@ -479,6 +480,7 @@ view [ ] { max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; + max-types-per-name ; max-udp-size ; max-validation-failures-per-fetch ; // experimental max-validations-per-fetch ; // experimental diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt index 6586686300..7b351064fe 100644 --- a/doc/misc/primary.zoneopt +++ b/doc/misc/primary.zoneopt @@ -40,6 +40,7 @@ zone [ ] { max-records-per-type ; max-transfer-idle-out ; max-transfer-time-out ; + max-types-per-name ; max-zone-ttl ( unlimited | ); // deprecated notify ( explicit | master-only | primary-only | ); notify-delay ; diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt index b389f6eede..5faa1e6ddd 100644 --- a/doc/misc/redirect.zoneopt +++ b/doc/misc/redirect.zoneopt @@ -8,6 +8,7 @@ zone [ ] { masterfile-style ( full | relative ); max-records ; max-records-per-type ; + max-types-per-name ; max-zone-ttl ( unlimited | ); // deprecated primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; zone-statistics ( full | terse | none | ); diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt index 4ded7c8e19..610d32f262 100644 --- a/doc/misc/secondary.zoneopt +++ b/doc/misc/secondary.zoneopt @@ -35,6 +35,7 @@ zone [ ] { max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; + max-types-per-name ; min-refresh-time ; min-retry-time ; multi-master ; diff --git a/doc/misc/static-stub.zoneopt b/doc/misc/static-stub.zoneopt index 5f68d83c52..40a340f629 100644 --- a/doc/misc/static-stub.zoneopt +++ b/doc/misc/static-stub.zoneopt @@ -6,6 +6,7 @@ zone [ ] { forwarders [ port ] [ tls ] { ( | ) [ port ] [ tls ]; ... }; max-records ; max-records-per-type ; + max-types-per-name ; server-addresses { ( | ); ... }; server-names { ; ... }; zone-statistics ( full | terse | none | ); diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt index 8d0537b136..992aa51e96 100644 --- a/doc/misc/stub.zoneopt +++ b/doc/misc/stub.zoneopt @@ -16,6 +16,7 @@ zone [ ] { max-retry-time ; max-transfer-idle-in ; max-transfer-time-in ; + max-types-per-name ; min-refresh-time ; min-retry-time ; multi-master ; diff --git a/lib/dns/cache.c b/lib/dns/cache.c index 52d92037d3..24e2d4f205 100644 --- a/lib/dns/cache.c +++ b/lib/dns/cache.c @@ -81,6 +81,7 @@ struct dns_cache { dns_ttl_t serve_stale_refresh; isc_stats_t *stats; uint32_t maxrrperset; + uint32_t maxtypepername; }; /*** @@ -130,6 +131,7 @@ cache_create_db(dns_cache_t *cache, dns_db_t **dbp, isc_mem_t **tmctxp, dns_db_setservestalettl(db, cache->serve_stale_ttl); dns_db_setservestalerefresh(db, cache->serve_stale_refresh); dns_db_setmaxrrperset(db, cache->maxrrperset); + dns_db_setmaxtypepername(db, cache->maxtypepername); /* * XXX this is only used by the RBT cache, and can @@ -558,6 +560,16 @@ dns_cache_setmaxrrperset(dns_cache_t *cache, uint32_t value) { } } +void +dns_cache_setmaxtypepername(dns_cache_t *cache, uint32_t value) { + REQUIRE(VALID_CACHE(cache)); + + cache->maxtypepername = value; + if (cache->db != NULL) { + dns_db_setmaxtypepername(cache->db, value); + } +} + /* * XXX: Much of the following code has been copied in from statschannel.c. * We should refactor this into a generic function in stats.c that can be diff --git a/lib/dns/db.c b/lib/dns/db.c index 3f3ca0ede1..ce27fce8c1 100644 --- a/lib/dns/db.c +++ b/lib/dns/db.c @@ -1179,3 +1179,12 @@ dns_db_setmaxrrperset(dns_db_t *db, uint32_t value) { (db->methods->setmaxrrperset)(db, value); } } + +void +dns_db_setmaxtypepername(dns_db_t *db, uint32_t value) { + REQUIRE(DNS_DB_VALID(db)); + + if (db->methods->setmaxtypepername != NULL) { + (db->methods->setmaxtypepername)(db, value); + } +} diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h index 738ab4cfe0..c629ab26c4 100644 --- a/lib/dns/include/dns/cache.h +++ b/lib/dns/include/dns/cache.h @@ -252,6 +252,12 @@ dns_cache_setmaxrrperset(dns_cache_t *cache, uint32_t value); * Set the maximum resource records per RRSet that can be cached. */ +void +dns_cache_setmaxtypepername(dns_cache_t *cache, uint32_t value); +/*%< + * Set the maximum resource record types per owner name that can be cached. + */ + #ifdef HAVE_LIBXML2 int dns_cache_renderxml(dns_cache_t *cache, void *writer0); diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h index 96f9d58a12..254b7d38e5 100644 --- a/lib/dns/include/dns/db.h +++ b/lib/dns/include/dns/db.h @@ -184,6 +184,7 @@ typedef struct dns_dbmethods { isc_result_t (*nodefullname)(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name); void (*setmaxrrperset)(dns_db_t *db, uint32_t value); + void (*setmaxtypepername)(dns_db_t *db, uint32_t value); } dns_dbmethods_t; typedef isc_result_t (*dns_dbcreatefunc_t)(isc_mem_t *mctx, @@ -1805,8 +1806,19 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name); void dns_db_setmaxrrperset(dns_db_t *db, uint32_t value); /*%< - * Set the maximum permissible number of RRs per RRset. If 'value' - * is nonzero, then any subsequent attempt to add an rdataset with - * more than 'value' RRs will return ISC_R_TOOMANYRECORDS. + * Set the maximum permissible number of RRs per RRset. + * + * If 'value' is nonzero, then any subsequent attempt to add an rdataset + * with more than 'value' RRs will return ISC_R_TOOMANYRECORDS. + */ + +void +dns_db_setmaxtypepername(dns_db_t *db, uint32_t value); +/*%< + * Set the maximum permissible number of RR types per owner name. + * + * If 'value' is nonzero, and if there are already 'value' RR types + * stored at a given node, then any subsequent attempt to add an rdataset + * with a new RR type will return ISC_R_TOOMANYRECORDS. */ ISC_LANG_ENDDECLS diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index e97835f8c6..ddba1e7401 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -184,6 +184,7 @@ struct dns_view { dns_badcache_t *failcache; unsigned int udpsize; uint32_t maxrrperset; + uint32_t maxtypepername; /* * Configurable data for server use only, @@ -1249,6 +1250,12 @@ dns_view_setmaxrrperset(dns_view_t *view, uint32_t value); * Set the maximum resource records per RRSet that can be cached. */ +void +dns_view_setmaxtypepername(dns_view_t *view, uint32_t value); +/*%< + * Set the maximum resource record types per owner name that can be cached. + */ + void dns_view_setudpsize(dns_view_t *view, uint16_t udpsize); /*%< diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index bdcff3061c..623edf162b 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -379,6 +379,19 @@ dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t maxrrperset); *\li void */ +void +dns_zone_setmaxtypepername(dns_zone_t *zone, uint32_t maxtypepername); +/*%< + * Sets the maximum number of resource record types per owner name + * permitted in a zone. 0 implies unlimited. + * + * Requires: + *\li 'zone' to be valid initialised zone. + * + * Returns: + *\li void + */ + void dns_zone_setmaxttl(dns_zone_t *zone, uint32_t maxttl); /*%< diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c index 329decbb6f..c56bc2abe7 100644 --- a/lib/dns/qpcache.c +++ b/lib/dns/qpcache.c @@ -217,7 +217,8 @@ struct qpcache { /* Locked by lock. */ unsigned int active; - uint32_t maxrrperset; /* Maximum RRs per RRset */ + uint32_t maxrrperset; /* Maximum RRs per RRset */ + uint32_t maxtypepername; /* Maximum number of RR types per owner */ /* * The time after a failed lookup, where stale answers from cache @@ -2885,6 +2886,7 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_typepair_t negtype = 0, sigtype; dns_trust_t trust; int idx; + uint32_t ntypes; if ((options & DNS_DBADD_FORCE) != 0) { trust = dns_trust_ultimate; @@ -2917,6 +2919,7 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, { mark_ancient(topheader); } + ntypes = 0; /* Always add the negative entry */ goto find_header; } /* @@ -2940,9 +2943,11 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, * check for an extant non-ancient NODATA ncache * entry which covers the same type as the RRSIG. */ + ntypes = 0; for (topheader = qpnode->data; topheader != NULL; topheader = topheader->next) { + ++ntypes; if ((topheader->type == RDATATYPE_NCACHEANY) || (newheader->type == sigtype && topheader->type == @@ -2985,9 +2990,12 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, } } + ntypes = 0; for (topheader = qpnode->data; topheader != NULL; topheader = topheader->next) { + ++ntypes; + if (prio_type(topheader->type)) { prioheader = topheader; } @@ -3255,6 +3263,14 @@ find_header: /* * No rdatasets of the given type exist at the node. */ + if (trust != dns_trust_ultimate && + qpdb->maxtypepername > 0 && + ntypes >= qpdb->maxtypepername) + { + dns_slabheader_destroy(&newheader); + return (DNS_R_TOOMANYRECORDS); + } + INSIST(newheader->down == NULL); if (prio_type(newheader->type)) { @@ -4344,6 +4360,15 @@ setmaxrrperset(dns_db_t *db, uint32_t value) { qpdb->maxrrperset = value; } +static void +setmaxtypepername(dns_db_t *db, uint32_t value) { + qpcache_t *qpdb = (qpcache_t *)db; + + REQUIRE(VALID_QPDB(qpdb)); + + qpdb->maxtypepername = value; +} + static dns_dbmethods_t qpdb_cachemethods = { .destroy = qpdb_destroy, .findnode = findnode, @@ -4369,6 +4394,7 @@ static dns_dbmethods_t qpdb_cachemethods = { .expiredata = expiredata, .deletedata = deletedata, .setmaxrrperset = setmaxrrperset, + .setmaxtypepername = setmaxtypepername, }; static void diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c index da692d2538..4bcd5e2890 100644 --- a/lib/dns/qpzone.c +++ b/lib/dns/qpzone.c @@ -178,7 +178,8 @@ struct qpzonedb { uint32_t current_serial; uint32_t least_serial; uint32_t next_serial; - uint32_t maxrrperset; + uint32_t maxrrperset; /* Maximum RRs per RRset */ + uint32_t maxtypepername; /* Maximum number of RR types per owner */ qpz_version_t *current_version; qpz_version_t *future_version; qpz_versionlist_t open_versions; @@ -1834,6 +1835,7 @@ add(qpzonedb_t *qpdb, qpznode_t *node, const dns_name_t *nodename, unsigned char *merged = NULL; isc_result_t result; bool merge = false; + uint32_t ntypes; if ((options & DNS_DBADD_MERGE) != 0) { REQUIRE(version != NULL); @@ -1849,9 +1851,11 @@ add(qpzonedb_t *qpdb, qpznode_t *node, const dns_name_t *nodename, changed = add_changed(newheader, version DNS__DB_FLARG_PASS); } + ntypes = 0; for (topheader = node->data; topheader != NULL; topheader = topheader->next) { + ++ntypes; if (prio_type(topheader->type)) { prioheader = topheader; } @@ -2018,6 +2022,14 @@ add(qpzonedb_t *qpdb, qpznode_t *node, const dns_name_t *nodename, /* * No rdatasets of the given type exist at the node. */ + + if (qpdb->maxtypepername > 0 && + ntypes >= qpdb->maxtypepername) + { + dns_slabheader_destroy(&newheader); + return (DNS_R_TOOMANYRECORDS); + } + INSIST(newheader->down == NULL); if (prio_type(newheader->type)) { @@ -5290,6 +5302,15 @@ setmaxrrperset(dns_db_t *db, uint32_t value) { qpdb->maxrrperset = value; } +static void +setmaxtypepername(dns_db_t *db, uint32_t value) { + qpzonedb_t *qpdb = (qpzonedb_t *)db; + + REQUIRE(VALID_QPZONE(qpdb)); + + qpdb->maxtypepername = value; +} + static dns_dbmethods_t qpdb_zonemethods = { .destroy = qpdb_destroy, .beginload = beginload, @@ -5324,6 +5345,7 @@ static dns_dbmethods_t qpdb_zonemethods = { .deletedata = deletedata, .nodefullname = nodefullname, .setmaxrrperset = setmaxrrperset, + .setmaxtypepername = setmaxtypepername, }; static void diff --git a/lib/dns/rbt-cachedb.c b/lib/dns/rbt-cachedb.c index 779eb143d6..1f252eaef4 100644 --- a/lib/dns/rbt-cachedb.c +++ b/lib/dns/rbt-cachedb.c @@ -1583,6 +1583,7 @@ dns_dbmethods_t dns__rbtdb_cachemethods = { .expiredata = expiredata, .deletedata = dns__rbtdb_deletedata, .setmaxrrperset = dns__rbtdb_setmaxrrperset, + .setmaxtypepername = dns__rbtdb_setmaxtypepername, }; /* diff --git a/lib/dns/rbt-zonedb.c b/lib/dns/rbt-zonedb.c index 93b71b9a98..5f29bdafe5 100644 --- a/lib/dns/rbt-zonedb.c +++ b/lib/dns/rbt-zonedb.c @@ -2420,6 +2420,7 @@ dns_dbmethods_t dns__rbtdb_zonemethods = { .deletedata = dns__rbtdb_deletedata, .nodefullname = dns__rbtdb_nodefullname, .setmaxrrperset = dns__rbtdb_setmaxrrperset, + .setmaxtypepername = dns__rbtdb_setmaxtypepername, }; void diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 71ac5c1951..deadde73c7 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -2566,6 +2566,7 @@ dns__rbtdb_add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, dns_typepair_t negtype = 0, sigtype; dns_trust_t trust; int idx; + uint32_t ntypes = 0; if ((options & DNS_DBADD_MERGE) != 0) { REQUIRE(rbtversion != NULL); @@ -2618,6 +2619,7 @@ dns__rbtdb_add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, { mark_ancient(topheader); } + ntypes = 0; /* Always add the negative entry */ goto find_header; } /* @@ -2641,9 +2643,11 @@ dns__rbtdb_add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, * check for an extant non-ancient NODATA ncache * entry which covers the same type as the RRSIG. */ + ntypes = 0; for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { + ++ntypes; if ((topheader->type == RDATATYPE_NCACHEANY) || (newheader->type == sigtype && topheader->type == @@ -2686,9 +2690,11 @@ dns__rbtdb_add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, } } + ntypes = 0; for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { + ++ntypes; if (prio_type(topheader->type)) { prioheader = topheader; } @@ -3082,6 +3088,14 @@ find_header: /* * No rdatasets of the given type exist at the node. */ + + if (rbtdb->maxtypepername > 0 && + ntypes >= rbtdb->maxtypepername) + { + dns_slabheader_destroy(&newheader); + return (DNS_R_TOOMANYRECORDS); + } + INSIST(newheader->down == NULL); if (prio_type(newheader->type)) { @@ -4968,3 +4982,12 @@ dns__rbtdb_setmaxrrperset(dns_db_t *db, uint32_t value) { rbtdb->maxrrperset = value; } + +void +dns__rbtdb_setmaxtypepername(dns_db_t *db, uint32_t maxtypepername) { + dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; + + REQUIRE(VALID_RBTDB(rbtdb)); + + rbtdb->maxtypepername = maxtypepername; +} diff --git a/lib/dns/rbtdb_p.h b/lib/dns/rbtdb_p.h index fe06b30b13..cee0499a51 100644 --- a/lib/dns/rbtdb_p.h +++ b/lib/dns/rbtdb_p.h @@ -115,6 +115,7 @@ struct dns_rbtdb { uint32_t least_serial; uint32_t next_serial; uint32_t maxrrperset; + uint32_t maxtypepername; dns_rbtdb_version_t *current_version; dns_rbtdb_version_t *future_version; rbtdb_versionlist_t open_versions; @@ -429,7 +430,13 @@ dns__rbtdb_setttl(dns_slabheader_t *header, dns_ttl_t newttl); */ void -dns__rbtdb_setmaxrrperset(dns_db_t *db, uint32_t value); +dns__rbtdb_setmaxrrperset(dns_db_t *db, uint32_t maxrrperset); +/*%< + * Set the max RRs per RRset limit. + */ + +void +dns__rbtdb_setmaxtypepername(dns_db_t *db, uint32_t maxtypepername); /*%< * Set the max RRs per RRset limit. */ diff --git a/lib/dns/view.c b/lib/dns/view.c index 15e2e303db..99d8b61b59 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -645,6 +645,7 @@ dns_view_setcache(dns_view_t *view, dns_cache_t *cache, bool shared) { INSIST(DNS_DB_VALID(view->cachedb)); dns_cache_setmaxrrperset(view->cache, view->maxrrperset); + dns_cache_setmaxtypepername(view->cache, view->maxtypepername); } bool @@ -2347,6 +2348,15 @@ dns_view_setmaxrrperset(dns_view_t *view, uint32_t value) { } } +void +dns_view_setmaxtypepername(dns_view_t *view, uint32_t value) { + REQUIRE(DNS_VIEW_VALID(view)); + view->maxtypepername = value; + if (view->cache != NULL) { + dns_cache_setmaxtypepername(view->cache, value); + } +} + void dns_view_setudpsize(dns_view_t *view, uint16_t udpsize) { REQUIRE(DNS_VIEW_VALID(view)); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 6c27dfe3ec..9f152a7c02 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -319,6 +319,7 @@ struct dns_zone { uint32_t maxrecords; uint32_t maxrrperset; + uint32_t maxtypepername; dns_remote_t primaries; @@ -12068,6 +12069,16 @@ dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t val) { } } +void +dns_zone_setmaxtypepername(dns_zone_t *zone, uint32_t val) { + REQUIRE(DNS_ZONE_VALID(zone)); + + zone->maxtypepername = val; + if (zone->db != NULL) { + dns_db_setmaxtypepername(zone->db, val); + } +} + static bool notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name, isc_sockaddr_t *addr, dns_tsigkey_t *key, @@ -14470,6 +14481,8 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { } dns_db_setloop(stub->db, zone->loop); dns_db_setmaxrrperset(stub->db, zone->maxrrperset); + dns_db_setmaxtypepername(stub->db, + zone->maxtypepername); } result = dns_db_newversion(stub->db, &stub->version); @@ -17527,6 +17540,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) { zone_attachdb(zone, db); dns_db_setloop(zone->db, zone->loop); dns_db_setmaxrrperset(zone->db, zone->maxrrperset); + dns_db_setmaxtypepername(zone->db, zone->maxtypepername); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY); return (ISC_R_SUCCESS); @@ -24167,6 +24181,7 @@ dns_zone_makedb(dns_zone_t *zone, dns_db_t **dbp) { dns_db_setloop(db, zone->loop); dns_db_setmaxrrperset(db, zone->maxrrperset); + dns_db_setmaxtypepername(db, zone->maxtypepername); *dbp = db; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 528a52de05..18b40fab7f 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2375,6 +2375,9 @@ static cfg_clausedef_t zone_clauses[] = { { "max-records-per-type", &cfg_type_uint32, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT }, + { "max-types-per-name", &cfg_type_uint32, + CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | + CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT }, { "max-refresh-time", &cfg_type_uint32, CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "max-retry-time", &cfg_type_uint32, From 86aa4674abf91091edbc0816c31052c1d2712a4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 28 May 2024 15:23:24 +0200 Subject: [PATCH 05/19] Add a test for not caching large number of RRsets Send a recursive query for a large number of RRsets, which should fail when using the default max-types-per-name setting of 100, but succeed when the cap is disabled. --- bin/tests/system/reclimit/ns1/big.db | 256 +++++++++++++++++++ bin/tests/system/reclimit/ns1/named.conf.in | 1 + bin/tests/system/reclimit/ns3/named5.conf.in | 1 + bin/tests/system/reclimit/ns3/named6.conf.in | 43 ++++ bin/tests/system/reclimit/tests.sh | 34 +++ 5 files changed, 335 insertions(+) create mode 100644 bin/tests/system/reclimit/ns3/named6.conf.in diff --git a/bin/tests/system/reclimit/ns1/big.db b/bin/tests/system/reclimit/ns1/big.db index bddceb76e7..c256594c78 100644 --- a/bin/tests/system/reclimit/ns1/big.db +++ b/bin/tests/system/reclimit/ns1/big.db @@ -2513,3 +2513,259 @@ biganswer.big. 60 IN A 10.10.50.47 biganswer.big. 60 IN A 10.10.50.48 biganswer.big. 60 IN A 10.10.50.49 biganswer.big. 60 IN A 10.10.50.50 + +manytypes.big. IN TYPE65280 \# 0 +manytypes.big. IN TYPE65281 \# 0 +manytypes.big. IN TYPE65282 \# 0 +manytypes.big. IN TYPE65283 \# 0 +manytypes.big. IN TYPE65284 \# 0 +manytypes.big. IN TYPE65285 \# 0 +manytypes.big. IN TYPE65286 \# 0 +manytypes.big. IN TYPE65287 \# 0 +manytypes.big. IN TYPE65288 \# 0 +manytypes.big. IN TYPE65289 \# 0 +manytypes.big. IN TYPE65290 \# 0 +manytypes.big. IN TYPE65291 \# 0 +manytypes.big. IN TYPE65292 \# 0 +manytypes.big. IN TYPE65293 \# 0 +manytypes.big. IN TYPE65294 \# 0 +manytypes.big. IN TYPE65295 \# 0 +manytypes.big. IN TYPE65296 \# 0 +manytypes.big. IN TYPE65297 \# 0 +manytypes.big. IN TYPE65298 \# 0 +manytypes.big. IN TYPE65299 \# 0 +manytypes.big. IN TYPE65300 \# 0 +manytypes.big. IN TYPE65301 \# 0 +manytypes.big. IN TYPE65302 \# 0 +manytypes.big. IN TYPE65303 \# 0 +manytypes.big. IN TYPE65304 \# 0 +manytypes.big. IN TYPE65305 \# 0 +manytypes.big. IN TYPE65306 \# 0 +manytypes.big. IN TYPE65307 \# 0 +manytypes.big. IN TYPE65308 \# 0 +manytypes.big. IN TYPE65309 \# 0 +manytypes.big. IN TYPE65310 \# 0 +manytypes.big. IN TYPE65311 \# 0 +manytypes.big. IN TYPE65312 \# 0 +manytypes.big. IN TYPE65313 \# 0 +manytypes.big. IN TYPE65314 \# 0 +manytypes.big. IN TYPE65315 \# 0 +manytypes.big. IN TYPE65316 \# 0 +manytypes.big. IN TYPE65317 \# 0 +manytypes.big. IN TYPE65318 \# 0 +manytypes.big. IN TYPE65319 \# 0 +manytypes.big. IN TYPE65320 \# 0 +manytypes.big. IN TYPE65321 \# 0 +manytypes.big. IN TYPE65322 \# 0 +manytypes.big. IN TYPE65323 \# 0 +manytypes.big. IN TYPE65324 \# 0 +manytypes.big. IN TYPE65325 \# 0 +manytypes.big. IN TYPE65326 \# 0 +manytypes.big. IN TYPE65327 \# 0 +manytypes.big. IN TYPE65328 \# 0 +manytypes.big. IN TYPE65329 \# 0 +manytypes.big. IN TYPE65330 \# 0 +manytypes.big. IN TYPE65331 \# 0 +manytypes.big. IN TYPE65332 \# 0 +manytypes.big. IN TYPE65333 \# 0 +manytypes.big. IN TYPE65334 \# 0 +manytypes.big. IN TYPE65335 \# 0 +manytypes.big. IN TYPE65336 \# 0 +manytypes.big. IN TYPE65337 \# 0 +manytypes.big. IN TYPE65338 \# 0 +manytypes.big. IN TYPE65339 \# 0 +manytypes.big. IN TYPE65340 \# 0 +manytypes.big. IN TYPE65341 \# 0 +manytypes.big. IN TYPE65342 \# 0 +manytypes.big. IN TYPE65343 \# 0 +manytypes.big. IN TYPE65344 \# 0 +manytypes.big. IN TYPE65345 \# 0 +manytypes.big. IN TYPE65346 \# 0 +manytypes.big. IN TYPE65347 \# 0 +manytypes.big. IN TYPE65348 \# 0 +manytypes.big. IN TYPE65349 \# 0 +manytypes.big. IN TYPE65350 \# 0 +manytypes.big. IN TYPE65351 \# 0 +manytypes.big. IN TYPE65352 \# 0 +manytypes.big. IN TYPE65353 \# 0 +manytypes.big. IN TYPE65354 \# 0 +manytypes.big. IN TYPE65355 \# 0 +manytypes.big. IN TYPE65356 \# 0 +manytypes.big. IN TYPE65357 \# 0 +manytypes.big. IN TYPE65358 \# 0 +manytypes.big. IN TYPE65359 \# 0 +manytypes.big. IN TYPE65360 \# 0 +manytypes.big. IN TYPE65361 \# 0 +manytypes.big. IN TYPE65362 \# 0 +manytypes.big. IN TYPE65363 \# 0 +manytypes.big. IN TYPE65364 \# 0 +manytypes.big. IN TYPE65365 \# 0 +manytypes.big. IN TYPE65366 \# 0 +manytypes.big. IN TYPE65367 \# 0 +manytypes.big. IN TYPE65368 \# 0 +manytypes.big. IN TYPE65369 \# 0 +manytypes.big. IN TYPE65370 \# 0 +manytypes.big. IN TYPE65371 \# 0 +manytypes.big. IN TYPE65372 \# 0 +manytypes.big. IN TYPE65373 \# 0 +manytypes.big. IN TYPE65374 \# 0 +manytypes.big. IN TYPE65375 \# 0 +manytypes.big. IN TYPE65376 \# 0 +manytypes.big. IN TYPE65377 \# 0 +manytypes.big. IN TYPE65378 \# 0 +manytypes.big. IN TYPE65379 \# 0 +manytypes.big. IN TYPE65380 \# 0 +manytypes.big. IN TYPE65381 \# 0 +manytypes.big. IN TYPE65382 \# 0 +manytypes.big. IN TYPE65383 \# 0 +manytypes.big. IN TYPE65384 \# 0 +manytypes.big. IN TYPE65385 \# 0 +manytypes.big. IN TYPE65386 \# 0 +manytypes.big. IN TYPE65387 \# 0 +manytypes.big. IN TYPE65388 \# 0 +manytypes.big. IN TYPE65389 \# 0 +manytypes.big. IN TYPE65390 \# 0 +manytypes.big. IN TYPE65391 \# 0 +manytypes.big. IN TYPE65392 \# 0 +manytypes.big. IN TYPE65393 \# 0 +manytypes.big. IN TYPE65394 \# 0 +manytypes.big. IN TYPE65395 \# 0 +manytypes.big. IN TYPE65396 \# 0 +manytypes.big. IN TYPE65397 \# 0 +manytypes.big. IN TYPE65398 \# 0 +manytypes.big. IN TYPE65399 \# 0 +manytypes.big. IN TYPE65400 \# 0 +manytypes.big. IN TYPE65401 \# 0 +manytypes.big. IN TYPE65402 \# 0 +manytypes.big. IN TYPE65403 \# 0 +manytypes.big. IN TYPE65404 \# 0 +manytypes.big. IN TYPE65405 \# 0 +manytypes.big. IN TYPE65406 \# 0 +manytypes.big. IN TYPE65407 \# 0 +manytypes.big. IN TYPE65408 \# 0 +manytypes.big. IN TYPE65409 \# 0 +manytypes.big. IN TYPE65410 \# 0 +manytypes.big. IN TYPE65411 \# 0 +manytypes.big. IN TYPE65412 \# 0 +manytypes.big. IN TYPE65413 \# 0 +manytypes.big. IN TYPE65414 \# 0 +manytypes.big. IN TYPE65415 \# 0 +manytypes.big. IN TYPE65416 \# 0 +manytypes.big. IN TYPE65417 \# 0 +manytypes.big. IN TYPE65418 \# 0 +manytypes.big. IN TYPE65419 \# 0 +manytypes.big. IN TYPE65420 \# 0 +manytypes.big. IN TYPE65421 \# 0 +manytypes.big. IN TYPE65422 \# 0 +manytypes.big. IN TYPE65423 \# 0 +manytypes.big. IN TYPE65424 \# 0 +manytypes.big. IN TYPE65425 \# 0 +manytypes.big. IN TYPE65426 \# 0 +manytypes.big. IN TYPE65427 \# 0 +manytypes.big. IN TYPE65428 \# 0 +manytypes.big. IN TYPE65429 \# 0 +manytypes.big. IN TYPE65430 \# 0 +manytypes.big. IN TYPE65431 \# 0 +manytypes.big. IN TYPE65432 \# 0 +manytypes.big. IN TYPE65433 \# 0 +manytypes.big. IN TYPE65434 \# 0 +manytypes.big. IN TYPE65435 \# 0 +manytypes.big. IN TYPE65436 \# 0 +manytypes.big. IN TYPE65437 \# 0 +manytypes.big. IN TYPE65438 \# 0 +manytypes.big. IN TYPE65439 \# 0 +manytypes.big. IN TYPE65440 \# 0 +manytypes.big. IN TYPE65441 \# 0 +manytypes.big. IN TYPE65442 \# 0 +manytypes.big. IN TYPE65443 \# 0 +manytypes.big. IN TYPE65444 \# 0 +manytypes.big. IN TYPE65445 \# 0 +manytypes.big. IN TYPE65446 \# 0 +manytypes.big. IN TYPE65447 \# 0 +manytypes.big. IN TYPE65448 \# 0 +manytypes.big. IN TYPE65449 \# 0 +manytypes.big. IN TYPE65450 \# 0 +manytypes.big. IN TYPE65451 \# 0 +manytypes.big. IN TYPE65452 \# 0 +manytypes.big. IN TYPE65453 \# 0 +manytypes.big. IN TYPE65454 \# 0 +manytypes.big. IN TYPE65455 \# 0 +manytypes.big. IN TYPE65456 \# 0 +manytypes.big. IN TYPE65457 \# 0 +manytypes.big. IN TYPE65458 \# 0 +manytypes.big. IN TYPE65459 \# 0 +manytypes.big. IN TYPE65460 \# 0 +manytypes.big. IN TYPE65461 \# 0 +manytypes.big. IN TYPE65462 \# 0 +manytypes.big. IN TYPE65463 \# 0 +manytypes.big. IN TYPE65464 \# 0 +manytypes.big. IN TYPE65465 \# 0 +manytypes.big. IN TYPE65466 \# 0 +manytypes.big. IN TYPE65467 \# 0 +manytypes.big. IN TYPE65468 \# 0 +manytypes.big. IN TYPE65469 \# 0 +manytypes.big. IN TYPE65470 \# 0 +manytypes.big. IN TYPE65471 \# 0 +manytypes.big. IN TYPE65472 \# 0 +manytypes.big. IN TYPE65473 \# 0 +manytypes.big. IN TYPE65474 \# 0 +manytypes.big. IN TYPE65475 \# 0 +manytypes.big. IN TYPE65476 \# 0 +manytypes.big. IN TYPE65477 \# 0 +manytypes.big. IN TYPE65478 \# 0 +manytypes.big. IN TYPE65479 \# 0 +manytypes.big. IN TYPE65480 \# 0 +manytypes.big. IN TYPE65481 \# 0 +manytypes.big. IN TYPE65482 \# 0 +manytypes.big. IN TYPE65483 \# 0 +manytypes.big. IN TYPE65484 \# 0 +manytypes.big. IN TYPE65485 \# 0 +manytypes.big. IN TYPE65486 \# 0 +manytypes.big. IN TYPE65487 \# 0 +manytypes.big. IN TYPE65488 \# 0 +manytypes.big. IN TYPE65489 \# 0 +manytypes.big. IN TYPE65490 \# 0 +manytypes.big. IN TYPE65491 \# 0 +manytypes.big. IN TYPE65492 \# 0 +manytypes.big. IN TYPE65493 \# 0 +manytypes.big. IN TYPE65494 \# 0 +manytypes.big. IN TYPE65495 \# 0 +manytypes.big. IN TYPE65496 \# 0 +manytypes.big. IN TYPE65497 \# 0 +manytypes.big. IN TYPE65498 \# 0 +manytypes.big. IN TYPE65499 \# 0 +manytypes.big. IN TYPE65500 \# 0 +manytypes.big. IN TYPE65501 \# 0 +manytypes.big. IN TYPE65502 \# 0 +manytypes.big. IN TYPE65503 \# 0 +manytypes.big. IN TYPE65504 \# 0 +manytypes.big. IN TYPE65505 \# 0 +manytypes.big. IN TYPE65506 \# 0 +manytypes.big. IN TYPE65507 \# 0 +manytypes.big. IN TYPE65508 \# 0 +manytypes.big. IN TYPE65509 \# 0 +manytypes.big. IN TYPE65510 \# 0 +manytypes.big. IN TYPE65511 \# 0 +manytypes.big. IN TYPE65512 \# 0 +manytypes.big. IN TYPE65513 \# 0 +manytypes.big. IN TYPE65514 \# 0 +manytypes.big. IN TYPE65515 \# 0 +manytypes.big. IN TYPE65516 \# 0 +manytypes.big. IN TYPE65517 \# 0 +manytypes.big. IN TYPE65518 \# 0 +manytypes.big. IN TYPE65519 \# 0 +manytypes.big. IN TYPE65520 \# 0 +manytypes.big. IN TYPE65521 \# 0 +manytypes.big. IN TYPE65522 \# 0 +manytypes.big. IN TYPE65523 \# 0 +manytypes.big. IN TYPE65524 \# 0 +manytypes.big. IN TYPE65525 \# 0 +manytypes.big. IN TYPE65526 \# 0 +manytypes.big. IN TYPE65527 \# 0 +manytypes.big. IN TYPE65528 \# 0 +manytypes.big. IN TYPE65529 \# 0 +manytypes.big. IN TYPE65530 \# 0 +manytypes.big. IN TYPE65531 \# 0 +manytypes.big. IN TYPE65532 \# 0 +manytypes.big. IN TYPE65533 \# 0 +manytypes.big. IN TYPE65534 \# 0 diff --git a/bin/tests/system/reclimit/ns1/named.conf.in b/bin/tests/system/reclimit/ns1/named.conf.in index c56c0dbf55..65da2e5795 100644 --- a/bin/tests/system/reclimit/ns1/named.conf.in +++ b/bin/tests/system/reclimit/ns1/named.conf.in @@ -23,6 +23,7 @@ options { recursion no; dnssec-validation no; max-records-per-type 0; + max-types-per-name 0; }; zone "." { type primary; file "root.db"; }; diff --git a/bin/tests/system/reclimit/ns3/named5.conf.in b/bin/tests/system/reclimit/ns3/named5.conf.in index 56f704a3c0..7cf0633a00 100644 --- a/bin/tests/system/reclimit/ns3/named5.conf.in +++ b/bin/tests/system/reclimit/ns3/named5.conf.in @@ -26,6 +26,7 @@ options { recursion yes; dnssec-validation yes; max-records-per-type 0; + max-types-per-name 10; }; trust-anchors { }; diff --git a/bin/tests/system/reclimit/ns3/named6.conf.in b/bin/tests/system/reclimit/ns3/named6.conf.in new file mode 100644 index 0000000000..e1607e275d --- /dev/null +++ b/bin/tests/system/reclimit/ns3/named6.conf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + servfail-ttl 0; + qname-minimization disabled; + max-recursion-depth 12; + recursion yes; + dnssec-validation yes; + max-records-per-type 0; + max-types-per-name 0; +}; + +trust-anchors { }; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints.db"; }; diff --git a/bin/tests/system/reclimit/tests.sh b/bin/tests/system/reclimit/tests.sh index 42e98d90aa..cf657d81af 100644 --- a/bin/tests/system/reclimit/tests.sh +++ b/bin/tests/system/reclimit/tests.sh @@ -233,5 +233,39 @@ grep 'status: NOERROR' dig.out.2.test$n >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +check_manytypes() ( + i=$1 + type=$2 + expected=$3 + + $DIG $DIGOPTS @10.53.0.3 IN $type manytypes.big >dig.out.$i.$type.test$n || exit 1 + grep 'status: '"${expected}"'' dig.out.$i.$type.test$n >/dev/null || exit 1 + + exit 0 +) + +n=$((n + 1)) +echo_i "checking name that exceeds max-types-per-name ($n)" +ret=0 + +# Limited to 10 types - these should be fine +for ntype in $(seq 65280 65289); do + check_manytypes 1 "TYPE${ntype}" NOERROR || ret=1 +done +# Everything on top of that should SERVFAIL +for ntype in $(seq 65290 65534); do + check_manytypes 1 "TYPE${ntype}" SERVFAIL || ret=1 +done + +# Lift the limit +ns3_reset ns3/named6.conf.in + +for ntype in $(seq 65280 65534); do + check_manytypes 2 "TYPE${ntype}" NOERROR || ret=1 +done + +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From ccde4911ca321eccf6e48c39de5a3c8d80cac808 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 28 May 2024 16:13:53 +0200 Subject: [PATCH 06/19] Add test for not-loading many RRsets per name on a secondary This tests makes sure the zone with many RRsets per name is not loaded via XFR on the secondary server. --- bin/tests/system/masterformat/ns1/compile.sh | 1 + bin/tests/system/masterformat/ns1/many.db.in | 22 ++++++++++++++++++ .../system/masterformat/ns1/named.conf.in | 9 ++++++++ .../system/masterformat/ns2/named.conf.in | 8 +++++++ bin/tests/system/masterformat/setup.sh | 5 ++++ bin/tests/system/masterformat/tests.sh | 23 +++++++++++++++++++ 6 files changed, 68 insertions(+) create mode 100644 bin/tests/system/masterformat/ns1/many.db.in diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index 7b2ff56b2f..6d8df244be 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -29,6 +29,7 @@ $CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \ $CHECKZONE -D -F raw -o large.db.raw large large.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o huge.db.raw huge huge.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o uber.db.raw uber uber.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o many.db.raw many many.db >/dev/null 2>&1 $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed >/dev/null 2>&1 $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed >/dev/null 2>&1 diff --git a/bin/tests/system/masterformat/ns1/many.db.in b/bin/tests/system/masterformat/ns1/many.db.in new file mode 100644 index 0000000000..5a818632a8 --- /dev/null +++ b/bin/tests/system/masterformat/ns1/many.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 diff --git a/bin/tests/system/masterformat/ns1/named.conf.in b/bin/tests/system/masterformat/ns1/named.conf.in index c0897f2d82..1d29bb7d22 100644 --- a/bin/tests/system/masterformat/ns1/named.conf.in +++ b/bin/tests/system/masterformat/ns1/named.conf.in @@ -24,6 +24,7 @@ options { servfail-ttl 0; dnssec-validation no; max-records-per-type 2050; + max-types-per-name 500; }; key rndc_key { @@ -93,6 +94,7 @@ zone "huge" { allow-transfer { any; }; }; + zone "uber" { type primary; file "uber.db.raw"; @@ -100,6 +102,13 @@ zone "uber" { allow-transfer { any; }; }; +zone "many" { + type primary; + file "many.db.raw"; + masterfile-format raw; + allow-transfer { any; }; +}; + zone "signed" { type primary; file "signed.db.raw"; diff --git a/bin/tests/system/masterformat/ns2/named.conf.in b/bin/tests/system/masterformat/ns2/named.conf.in index 1b28b0cb0e..e03fb389c3 100644 --- a/bin/tests/system/masterformat/ns2/named.conf.in +++ b/bin/tests/system/masterformat/ns2/named.conf.in @@ -23,6 +23,7 @@ options { servfail-ttl 0; dnssec-validation no; max-records-per-type 2000; + max-types-per-name 200; }; zone "example" { @@ -70,3 +71,10 @@ zone "huge" { masterfile-format raw; file "huge.bk"; }; + +zone "many" { + type secondary; + primaries { 10.53.0.1; }; + masterfile-format raw; + file "many.bk"; +}; diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index cc90f5a692..569b479b9b 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -43,4 +43,9 @@ awk 'END { for (i = 0; i < 2050; i++ ) { print "d TXT", i; } for (i = 0; i < 2100; i++ ) { print "e TXT", i; } }' >ns1/uber.db +cp ns1/many.db.in ns1/many.db +for ntype in $(seq 65280 65534); do + echo "m TYPE${ntype} \# 0" +done >>ns1/many.db +echo "m TXT bunny" >>ns1/many.db cd ns1 && $SHELL compile.sh diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 27d37a3ff3..26df0270e2 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -243,6 +243,29 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) +echo_i "checking that many types are loaded ($n)" +for i in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + $DIG +tcp TXT "m.many" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.test$n" + grep "status: NOERROR" "dig.out.ns1.test$n" >/dev/null || ret=1 + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that many types are not transfered ($n)" +for i in 0 1 2 3 4 5 6 7 8 9; do + $DIG +tcp TXT "m.many" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.test$n" + grep "status: SERVFAIL" "dig.out.ns2.test$n" >/dev/null || ret=1 + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + echo_i "checking format transitions: text->raw->text ($n)" ret=0 $CHECKZONE -D -f text -F text -o baseline.txt example.nil ns1/example.db >/dev/null From 35faf81680806c2464bbc853c612939be4edce02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 29 May 2024 18:12:29 +0200 Subject: [PATCH 07/19] Test variable rename a->rrcount --- bin/tests/system/masterformat/tests.sh | 30 +++++++++++++------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 26df0270e2..447f6c33cb 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -176,9 +176,9 @@ status=$((status + ret)) echo_i "checking that large rdatasets loaded ($n)" for i in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for a in a b c; do - $DIG +tcp txt "${a}.large" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$a.test$n" - grep "status: NOERROR" "dig.out.ns1.$a.test$n" >/dev/null || ret=1 + for rrcount in a b c; do + $DIG +tcp txt "${rrcount}.large" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 @@ -190,9 +190,9 @@ status=$((status + ret)) echo_i "checking that large rdatasets transfered ($n)" for i in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for a in a b c; do - $DIG +tcp txt "${a}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$a.test$n" - grep "status: NOERROR" "dig.out.ns2.$a.test$n" >/dev/null || ret=1 + for rrcount in a b c; do + $DIG +tcp txt "${rrcount}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" + grep "status: NOERROR" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 @@ -204,9 +204,9 @@ status=$((status + ret)) echo_i "checking that huge rdatasets loaded ($n)" for i in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for a in a b c d; do - $DIG +tcp txt "${a}.huge" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$a.test$n" - grep "status: NOERROR" "dig.out.ns1.$a.test$n" >/dev/null || ret=1 + for rrcount in a b c d; do + $DIG +tcp txt "${rrcount}.huge" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 @@ -218,9 +218,9 @@ status=$((status + ret)) echo_i "checking that huge rdatasets not transfered ($n)" for i in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for a in a b c d; do - $DIG +tcp txt "${a}.huge" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$a.test$n" - grep "status: SERVFAIL" "dig.out.ns2.$a.test$n" >/dev/null || ret=1 + for rrcount in a b c d; do + $DIG +tcp txt "${rrcount}.huge" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" + grep "status: SERVFAIL" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 @@ -232,9 +232,9 @@ status=$((status + ret)) echo_i "checking that uber rdatasets not loaded ($n)" for i in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for a in a b c d e; do - $DIG +tcp txt "${a}.uber" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$a.test$n" - grep "status: SERVFAIL" "dig.out.ns1.$a.test$n" >/dev/null || ret=1 + for rrcount in a b c d e; do + $DIG +tcp txt "${rrcount}.uber" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + grep "status: SERVFAIL" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break sleep 1 From c080e510abef4f47cc27da92584a687f5c0bda8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 29 May 2024 18:13:47 +0200 Subject: [PATCH 08/19] Test variable rename i->_attempt --- bin/tests/system/masterformat/tests.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 447f6c33cb..df48a560ea 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -134,7 +134,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "waiting for transfers to complete" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do test -f ns2/transfer.db.raw -a -f ns2/transfer.db.txt && break sleep 1 done @@ -162,7 +162,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "checking that secondary formerly in text format is now raw ($n)" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 israw ns2/formerly-text.db >/dev/null 2>&1 || ret=1 [ "$(rawversion ns2/formerly-text.db)" -eq 1 ] || ret=1 @@ -174,7 +174,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "checking that large rdatasets loaded ($n)" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in a b c; do $DIG +tcp txt "${rrcount}.large" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" @@ -188,7 +188,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "checking that large rdatasets transfered ($n)" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in a b c; do $DIG +tcp txt "${rrcount}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" @@ -202,7 +202,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "checking that huge rdatasets loaded ($n)" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in a b c d; do $DIG +tcp txt "${rrcount}.huge" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" @@ -216,7 +216,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "checking that huge rdatasets not transfered ($n)" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in a b c d; do $DIG +tcp txt "${rrcount}.huge" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" @@ -230,7 +230,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "checking that uber rdatasets not loaded ($n)" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in a b c d e; do $DIG +tcp txt "${rrcount}.uber" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" @@ -244,7 +244,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "checking that many types are loaded ($n)" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 $DIG +tcp TXT "m.many" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.test$n" grep "status: NOERROR" "dig.out.ns1.test$n" >/dev/null || ret=1 @@ -256,7 +256,7 @@ n=$((n + 1)) status=$((status + ret)) echo_i "checking that many types are not transfered ($n)" -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do $DIG +tcp TXT "m.many" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.test$n" grep "status: SERVFAIL" "dig.out.ns2.test$n" >/dev/null || ret=1 [ $ret -eq 0 ] && break @@ -319,7 +319,7 @@ stop_server --use-rndc --port ${CONTROLPORT} ns3 rm ns3/*.jnl restart #shellcheck disable=SC2034 -for i in 0 1 2 3 4 5 6 7 8 9; do +for _attempt in 0 1 2 3 4 5 6 7 8 9; do lret=0 dig_with_opts +comm @10.53.0.3 moretext.dynamic txt >"dig.out.dynamic2.ns3.test$n" grep "more text" "dig.out.dynamic2.ns3.test$n" >/dev/null 2>&1 || lret=1 From 124e220579b9177a77d5e7be94d717e13225d4a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 29 May 2024 18:20:00 +0200 Subject: [PATCH 09/19] Test owner name rename: a b c d e -> -txt --- bin/tests/system/masterformat/setup.sh | 24 ++++++++++++------------ bin/tests/system/masterformat/tests.sh | 10 +++++----- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index 569b479b9b..ab4eff70d6 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -24,24 +24,24 @@ cp ns1/example.db ns2/ cp ns2/formerly-text.db.in ns2/formerly-text.db cp ns1/large.db.in ns1/large.db awk 'END { - for (i = 0; i < 500; i++ ) { print "a TXT", i; } - for (i = 0; i < 1000; i++ ) { print "b TXT", i; } - for (i = 0; i < 2000; i++ ) { print "c TXT", i; } + for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } + for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } + for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } }' >ns1/large.db cp ns1/huge.db.in ns1/huge.db awk 'END { - for (i = 0; i < 500; i++ ) { print "a TXT", i; } - for (i = 0; i < 1000; i++ ) { print "b TXT", i; } - for (i = 0; i < 2000; i++ ) { print "c TXT", i; } - for (i = 0; i < 2050; i++ ) { print "d TXT", i; } + for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } + for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } + for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } + for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; } }' >ns1/huge.db cp ns1/uber.db.in ns1/uber.db awk 'END { - for (i = 0; i < 500; i++ ) { print "a TXT", i; } - for (i = 0; i < 1000; i++ ) { print "b TXT", i; } - for (i = 0; i < 2000; i++ ) { print "c TXT", i; } - for (i = 0; i < 2050; i++ ) { print "d TXT", i; } - for (i = 0; i < 2100; i++ ) { print "e TXT", i; } + for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } + for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } + for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } + for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; } + for (i = 0; i < 2100; i++ ) { print "2100-txt TXT", i; } }' >ns1/uber.db cp ns1/many.db.in ns1/many.db for ntype in $(seq 65280 65534); do diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index df48a560ea..2e9b52b545 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -176,7 +176,7 @@ status=$((status + ret)) echo_i "checking that large rdatasets loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for rrcount in a b c; do + for rrcount in 500-txt 1000-txt 2000-txt; do $DIG +tcp txt "${rrcount}.large" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done @@ -190,7 +190,7 @@ status=$((status + ret)) echo_i "checking that large rdatasets transfered ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for rrcount in a b c; do + for rrcount in 500-txt 1000-txt 2000-txt; do $DIG +tcp txt "${rrcount}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" grep "status: NOERROR" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1 done @@ -204,7 +204,7 @@ status=$((status + ret)) echo_i "checking that huge rdatasets loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for rrcount in a b c d; do + for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do $DIG +tcp txt "${rrcount}.huge" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done @@ -218,7 +218,7 @@ status=$((status + ret)) echo_i "checking that huge rdatasets not transfered ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for rrcount in a b c d; do + for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do $DIG +tcp txt "${rrcount}.huge" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" grep "status: SERVFAIL" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1 done @@ -232,7 +232,7 @@ status=$((status + ret)) echo_i "checking that uber rdatasets not loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 - for rrcount in a b c d e; do + for rrcount in 500-txt 1000-txt 2000-txt 2050-txt 2100-txt; do $DIG +tcp txt "${rrcount}.uber" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" grep "status: SERVFAIL" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done From d85f516f5b547b28cdb5fed25dd7e48316c71cac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 29 May 2024 18:28:58 +0200 Subject: [PATCH 10/19] masterformat: rename zone names to reflect intended meaning --- .../ns1/{huge.db.in => 255types.db.in} | 0 bin/tests/system/masterformat/ns1/compile.sh | 8 +++--- .../system/masterformat/ns1/named.conf.in | 16 +++++------ .../ns1/{large.db.in => on-limit.db.in} | 0 .../ns1/{many.db.in => over-limit.db.in} | 0 .../ns1/{uber.db.in => under-limit.db.in} | 0 .../system/masterformat/ns2/named.conf.in | 12 ++++---- bin/tests/system/masterformat/setup.sh | 22 +++++++++------ bin/tests/system/masterformat/tests.sh | 28 +++++++++---------- 9 files changed, 45 insertions(+), 41 deletions(-) rename bin/tests/system/masterformat/ns1/{huge.db.in => 255types.db.in} (100%) rename bin/tests/system/masterformat/ns1/{large.db.in => on-limit.db.in} (100%) rename bin/tests/system/masterformat/ns1/{many.db.in => over-limit.db.in} (100%) rename bin/tests/system/masterformat/ns1/{uber.db.in => under-limit.db.in} (100%) diff --git a/bin/tests/system/masterformat/ns1/huge.db.in b/bin/tests/system/masterformat/ns1/255types.db.in similarity index 100% rename from bin/tests/system/masterformat/ns1/huge.db.in rename to bin/tests/system/masterformat/ns1/255types.db.in diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index 6d8df244be..d6ec07428b 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -26,10 +26,10 @@ $CHECKZONE -D -F raw=0 -o example.db.compat example-compat \ example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \ example.db >/dev/null 2>&1 -$CHECKZONE -D -F raw -o large.db.raw large large.db >/dev/null 2>&1 -$CHECKZONE -D -F raw -o huge.db.raw huge huge.db >/dev/null 2>&1 -$CHECKZONE -D -F raw -o uber.db.raw uber uber.db >/dev/null 2>&1 -$CHECKZONE -D -F raw -o many.db.raw many many.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o under-limit.db.raw under-limit under-limit.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o on-limit.db.raw on-limit on-limit.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o over-limit.db.raw over-limit over-limit.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o 255types.db.raw 255types 255types.db >/dev/null 2>&1 $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK signed >/dev/null 2>&1 $KEYGEN -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" signed >/dev/null 2>&1 diff --git a/bin/tests/system/masterformat/ns1/named.conf.in b/bin/tests/system/masterformat/ns1/named.conf.in index 1d29bb7d22..d887c094ad 100644 --- a/bin/tests/system/masterformat/ns1/named.conf.in +++ b/bin/tests/system/masterformat/ns1/named.conf.in @@ -80,31 +80,31 @@ zone "transfer4" { }; -zone "large" { +zone "under-limit" { type primary; - file "large.db.raw"; + file "under-limit.db.raw"; masterfile-format raw; allow-transfer { any; }; }; -zone "huge" { +zone "on-limit" { type primary; - file "huge.db.raw"; + file "on-limit.db.raw"; masterfile-format raw; allow-transfer { any; }; }; -zone "uber" { +zone "over-limit" { type primary; - file "uber.db.raw"; + file "over-limit.db.raw"; masterfile-format raw; allow-transfer { any; }; }; -zone "many" { +zone "255types" { type primary; - file "many.db.raw"; + file "255types.db.raw"; masterfile-format raw; allow-transfer { any; }; }; diff --git a/bin/tests/system/masterformat/ns1/large.db.in b/bin/tests/system/masterformat/ns1/on-limit.db.in similarity index 100% rename from bin/tests/system/masterformat/ns1/large.db.in rename to bin/tests/system/masterformat/ns1/on-limit.db.in diff --git a/bin/tests/system/masterformat/ns1/many.db.in b/bin/tests/system/masterformat/ns1/over-limit.db.in similarity index 100% rename from bin/tests/system/masterformat/ns1/many.db.in rename to bin/tests/system/masterformat/ns1/over-limit.db.in diff --git a/bin/tests/system/masterformat/ns1/uber.db.in b/bin/tests/system/masterformat/ns1/under-limit.db.in similarity index 100% rename from bin/tests/system/masterformat/ns1/uber.db.in rename to bin/tests/system/masterformat/ns1/under-limit.db.in diff --git a/bin/tests/system/masterformat/ns2/named.conf.in b/bin/tests/system/masterformat/ns2/named.conf.in index e03fb389c3..277ad19805 100644 --- a/bin/tests/system/masterformat/ns2/named.conf.in +++ b/bin/tests/system/masterformat/ns2/named.conf.in @@ -58,23 +58,23 @@ zone "transfer4" { file "transfer.db.full"; }; -zone "large" { +zone "under-limit" { type secondary; primaries { 10.53.0.1; }; masterfile-format raw; - file "large.bk"; + file "under-limit.bk"; }; -zone "huge" { +zone "on-limit" { type secondary; primaries { 10.53.0.1; }; masterfile-format raw; - file "huge.bk"; + file "on-limit.bk"; }; -zone "many" { +zone "255types" { type secondary; primaries { 10.53.0.1; }; masterfile-format raw; - file "many.bk"; + file "255types.bk"; }; diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index ab4eff70d6..b9062b9822 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -22,30 +22,34 @@ copy_setports ns3/named.conf.in ns3/named.conf cp ns1/example.db ns2/ cp ns2/formerly-text.db.in ns2/formerly-text.db -cp ns1/large.db.in ns1/large.db +cp ns1/under-limit.db.in ns1/under-limit.db + +# counts are set with respect to these limits in named.conf: +# max-records-per-type 2050; +# max-types-per-name 500; awk 'END { for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } -}' >ns1/large.db -cp ns1/huge.db.in ns1/huge.db +}' >ns1/under-limit.db +cp ns1/on-limit.db.in ns1/on-limit.db awk 'END { for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; } -}' >ns1/huge.db -cp ns1/uber.db.in ns1/uber.db +}' >ns1/on-limit.db +cp ns1/over-limit.db.in ns1/over-limit.db awk 'END { for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; } for (i = 0; i < 2100; i++ ) { print "2100-txt TXT", i; } -}' >ns1/uber.db -cp ns1/many.db.in ns1/many.db +}' >ns1/over-limit.db +cp ns1/255types.db.in ns1/255types.db for ntype in $(seq 65280 65534); do echo "m TYPE${ntype} \# 0" -done >>ns1/many.db -echo "m TXT bunny" >>ns1/many.db +done >>ns1/255types.db +echo "m TXT bunny" >>ns1/255types.db cd ns1 && $SHELL compile.sh diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 2e9b52b545..5f423b385b 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -173,11 +173,11 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -echo_i "checking that large rdatasets loaded ($n)" +echo_i "checking that under-limit rdatasets loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in 500-txt 1000-txt 2000-txt; do - $DIG +tcp txt "${rrcount}.large" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + $DIG +tcp txt "${rrcount}.under-limit" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break @@ -187,11 +187,11 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -echo_i "checking that large rdatasets transfered ($n)" +echo_i "checking that under-limit rdatasets transfered ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in 500-txt 1000-txt 2000-txt; do - $DIG +tcp txt "${rrcount}.large" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" + $DIG +tcp txt "${rrcount}.under-limit" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" grep "status: NOERROR" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break @@ -201,11 +201,11 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -echo_i "checking that huge rdatasets loaded ($n)" +echo_i "checking that on-limit rdatasets loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do - $DIG +tcp txt "${rrcount}.huge" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + $DIG +tcp txt "${rrcount}.on-limit" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break @@ -215,11 +215,11 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -echo_i "checking that huge rdatasets not transfered ($n)" +echo_i "checking that on-limit rdatasets not transfered ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do - $DIG +tcp txt "${rrcount}.huge" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" + $DIG +tcp txt "${rrcount}.on-limit" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" grep "status: SERVFAIL" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break @@ -229,11 +229,11 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -echo_i "checking that uber rdatasets not loaded ($n)" +echo_i "checking that over-limit rdatasets not loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 for rrcount in 500-txt 1000-txt 2000-txt 2050-txt 2100-txt; do - $DIG +tcp txt "${rrcount}.uber" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + $DIG +tcp txt "${rrcount}.over-limit" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" grep "status: SERVFAIL" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 done [ $ret -eq 0 ] && break @@ -243,10 +243,10 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -echo_i "checking that many types are loaded ($n)" +echo_i "checking that 255 types are loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 - $DIG +tcp TXT "m.many" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.test$n" + $DIG +tcp TXT "m.255types" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.test$n" grep "status: NOERROR" "dig.out.ns1.test$n" >/dev/null || ret=1 [ $ret -eq 0 ] && break sleep 1 @@ -255,9 +255,9 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) -echo_i "checking that many types are not transfered ($n)" +echo_i "checking that 255 types types are not transfered ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do - $DIG +tcp TXT "m.many" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.test$n" + $DIG +tcp TXT "m.255types" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.test$n" grep "status: SERVFAIL" "dig.out.ns2.test$n" >/dev/null || ret=1 [ $ret -eq 0 ] && break sleep 1 From b2afc83040bcf3e486f8639649d5d6f6f35dd1ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Wed, 29 May 2024 21:03:02 +0200 Subject: [PATCH 11/19] Remove duplicated empty zone files --- .../ns1/{255types.db.in => empty.db.in} | 0 .../system/masterformat/ns1/on-limit.db.in | 22 ------------------- .../system/masterformat/ns1/over-limit.db.in | 22 ------------------- .../system/masterformat/ns1/under-limit.db.in | 22 ------------------- bin/tests/system/masterformat/setup.sh | 8 +++---- 5 files changed, 4 insertions(+), 70 deletions(-) rename bin/tests/system/masterformat/ns1/{255types.db.in => empty.db.in} (100%) delete mode 100644 bin/tests/system/masterformat/ns1/on-limit.db.in delete mode 100644 bin/tests/system/masterformat/ns1/over-limit.db.in delete mode 100644 bin/tests/system/masterformat/ns1/under-limit.db.in diff --git a/bin/tests/system/masterformat/ns1/255types.db.in b/bin/tests/system/masterformat/ns1/empty.db.in similarity index 100% rename from bin/tests/system/masterformat/ns1/255types.db.in rename to bin/tests/system/masterformat/ns1/empty.db.in diff --git a/bin/tests/system/masterformat/ns1/on-limit.db.in b/bin/tests/system/masterformat/ns1/on-limit.db.in deleted file mode 100644 index 5a818632a8..0000000000 --- a/bin/tests/system/masterformat/ns1/on-limit.db.in +++ /dev/null @@ -1,22 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 1D - -@ IN SOA ns hostmaster ( - 1 - 3600 - 1800 - 1814400 - 3 - ) - NS ns -ns A 10.53.0.1 diff --git a/bin/tests/system/masterformat/ns1/over-limit.db.in b/bin/tests/system/masterformat/ns1/over-limit.db.in deleted file mode 100644 index 5a818632a8..0000000000 --- a/bin/tests/system/masterformat/ns1/over-limit.db.in +++ /dev/null @@ -1,22 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 1D - -@ IN SOA ns hostmaster ( - 1 - 3600 - 1800 - 1814400 - 3 - ) - NS ns -ns A 10.53.0.1 diff --git a/bin/tests/system/masterformat/ns1/under-limit.db.in b/bin/tests/system/masterformat/ns1/under-limit.db.in deleted file mode 100644 index 5a818632a8..0000000000 --- a/bin/tests/system/masterformat/ns1/under-limit.db.in +++ /dev/null @@ -1,22 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 1D - -@ IN SOA ns hostmaster ( - 1 - 3600 - 1800 - 1814400 - 3 - ) - NS ns -ns A 10.53.0.1 diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index b9062b9822..0c8f6042ad 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -22,7 +22,7 @@ copy_setports ns3/named.conf.in ns3/named.conf cp ns1/example.db ns2/ cp ns2/formerly-text.db.in ns2/formerly-text.db -cp ns1/under-limit.db.in ns1/under-limit.db +cp ns1/empty.db.in ns1/under-limit.db # counts are set with respect to these limits in named.conf: # max-records-per-type 2050; @@ -32,14 +32,14 @@ awk 'END { for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } }' >ns1/under-limit.db -cp ns1/on-limit.db.in ns1/on-limit.db +cp ns1/empty.db.in ns1/on-limit.db awk 'END { for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; } }' >ns1/on-limit.db -cp ns1/over-limit.db.in ns1/over-limit.db +cp ns1/empty.db.in ns1/over-limit.db awk 'END { for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } @@ -47,7 +47,7 @@ awk 'END { for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; } for (i = 0; i < 2100; i++ ) { print "2100-txt TXT", i; } }' >ns1/over-limit.db -cp ns1/255types.db.in ns1/255types.db +cp ns1/empty.db.in ns1/255types.db for ntype in $(seq 65280 65534); do echo "m TYPE${ntype} \# 0" done >>ns1/255types.db From 6297e0d7a99511c813d902a3c2d2686cee4559f4 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 30 May 2024 12:26:03 +0200 Subject: [PATCH 12/19] Add test cases that use DNSSEC signing Add two new masterformat tests that use signing. In the case of 'under-limit-kasp', the signing will keep the number of records in the RRset under the limit. In the case of 'on-limit-kasp', the signing will push the number of records in the RRset over the limit, because of the added RRSIG record. --- bin/tests/system/masterformat/ns1/compile.sh | 2 + .../system/masterformat/ns1/named.conf.in | 15 ++++ .../system/masterformat/ns2/named.conf.in | 14 ++++ bin/tests/system/masterformat/setup.sh | 5 ++ bin/tests/system/masterformat/tests.sh | 73 +++++++++++++++++++ 5 files changed, 109 insertions(+) diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh index d6ec07428b..6e5a8b12f1 100755 --- a/bin/tests/system/masterformat/ns1/compile.sh +++ b/bin/tests/system/masterformat/ns1/compile.sh @@ -27,7 +27,9 @@ $CHECKZONE -D -F raw=0 -o example.db.compat example-compat \ $CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \ example.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o under-limit.db.raw under-limit under-limit.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o under-limit-kasp.db.raw under-limit-kasp under-limit-kasp.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o on-limit.db.raw on-limit on-limit.db >/dev/null 2>&1 +$CHECKZONE -D -F raw -o on-limit-kasp.db.raw on-limit-kasp on-limit-kasp.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o over-limit.db.raw over-limit over-limit.db >/dev/null 2>&1 $CHECKZONE -D -F raw -o 255types.db.raw 255types 255types.db >/dev/null 2>&1 diff --git a/bin/tests/system/masterformat/ns1/named.conf.in b/bin/tests/system/masterformat/ns1/named.conf.in index d887c094ad..d8c2cbc7c4 100644 --- a/bin/tests/system/masterformat/ns1/named.conf.in +++ b/bin/tests/system/masterformat/ns1/named.conf.in @@ -87,6 +87,14 @@ zone "under-limit" { allow-transfer { any; }; }; +zone "under-limit-kasp" { + type primary; + file "under-limit-kasp.db.raw"; + masterfile-format raw; + dnssec-policy masterformat; + allow-transfer { any; }; +}; + zone "on-limit" { type primary; file "on-limit.db.raw"; @@ -94,6 +102,13 @@ zone "on-limit" { allow-transfer { any; }; }; +zone "on-limit-kasp" { + type primary; + file "on-limit-kasp.db.raw"; + masterfile-format raw; + dnssec-policy masterformat; + allow-transfer { any; }; +}; zone "over-limit" { type primary; diff --git a/bin/tests/system/masterformat/ns2/named.conf.in b/bin/tests/system/masterformat/ns2/named.conf.in index 277ad19805..790ec731b2 100644 --- a/bin/tests/system/masterformat/ns2/named.conf.in +++ b/bin/tests/system/masterformat/ns2/named.conf.in @@ -65,6 +65,13 @@ zone "under-limit" { file "under-limit.bk"; }; +zone "under-limit-kasp" { + type secondary; + primaries { 10.53.0.1; }; + masterfile-format raw; + file "under-limit-kasp.bk"; +}; + zone "on-limit" { type secondary; primaries { 10.53.0.1; }; @@ -72,6 +79,13 @@ zone "on-limit" { file "on-limit.bk"; }; +zone "on-limit-kasp" { + type secondary; + primaries { 10.53.0.1; }; + masterfile-format raw; + file "on-limit-kasp.bk"; +}; + zone "255types" { type secondary; primaries { 10.53.0.1; }; diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index 0c8f6042ad..e4cc52b085 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -32,6 +32,8 @@ awk 'END { for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; } for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } }' >ns1/under-limit.db +cp ns1/under-limit.db ns1/under-limit-kasp.db + cp ns1/empty.db.in ns1/on-limit.db awk 'END { for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } @@ -39,6 +41,8 @@ awk 'END { for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; } for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; } }' >ns1/on-limit.db +cp ns1/on-limit.db ns1/on-limit-kasp.db + cp ns1/empty.db.in ns1/over-limit.db awk 'END { for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; } @@ -47,6 +51,7 @@ awk 'END { for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; } for (i = 0; i < 2100; i++ ) { print "2100-txt TXT", i; } }' >ns1/over-limit.db + cp ns1/empty.db.in ns1/255types.db for ntype in $(seq 65280 65534); do echo "m TYPE${ntype} \# 0" diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 5f423b385b..2daeeb450a 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -201,6 +201,49 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) +echo_i "checking that under-limit-kasp dnskeys loaded ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + + $DIG +tcp +dnssec dnskey "under-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.dnskey.test$n" + grep "status: NOERROR" "dig.out.ns1.dnskey.test$n" >/dev/null || ret=1 + grep "RRSIG" "dig.out.ns1.dnskey.test$n" >/dev/null || ret=1 + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that under-limit-kasp rdatasets loaded ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrcount in 500-txt 1000-txt 2000-txt; do + $DIG +tcp +dnssec txt "${rrcount}.under-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 + grep "RRSIG" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that under-limit-kasp rdatasets transfered ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrcount in 500-txt 1000-txt 2000-txt; do + $DIG +tcp +dnssec txt "${rrcount}.under-limit-kasp" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" + grep "status: NOERROR" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + echo_i "checking that on-limit rdatasets loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 @@ -229,6 +272,36 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) +echo_i "checking that on-limit-kasp rdatasets loaded ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do + $DIG +tcp +dnssec txt "${rrcount}.on-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 + grep "RRSIG" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that on-limit-kasp rdatasets not transfered ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do + $DIG +tcp +dnssec txt "${rrcount}.on-limit-kasp" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n" + grep "status: SERVFAIL" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + + echo_i "checking that over-limit rdatasets not loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 From ef9d5cf552375422c37e6d242fb46e3ceb519b45 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 30 May 2024 15:41:12 +0200 Subject: [PATCH 13/19] Switch to inline-signing no --- bin/tests/system/masterformat/ns1/named.conf.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/tests/system/masterformat/ns1/named.conf.in b/bin/tests/system/masterformat/ns1/named.conf.in index d8c2cbc7c4..e96350fd5d 100644 --- a/bin/tests/system/masterformat/ns1/named.conf.in +++ b/bin/tests/system/masterformat/ns1/named.conf.in @@ -107,6 +107,8 @@ zone "on-limit-kasp" { file "on-limit-kasp.db.raw"; masterfile-format raw; dnssec-policy masterformat; + inline-signing no; + allow-update { any; }; allow-transfer { any; }; }; From 15ecd2cce62099f722e1e6d3d2aa417b96db7092 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 30 May 2024 15:41:32 +0200 Subject: [PATCH 14/19] Check if restart works --- bin/tests/system/masterformat/tests.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 2daeeb450a..8308c38f3d 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -425,5 +425,24 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) +echo_i "checking that on-limit-kasp rdatasets loaded after re-sign and re-start ($n)" +ret=0 +stop_server ns1 +start_server --noclean --restart --port "${PORT}" ns1 + +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do + $DIG +tcp +dnssec txt "${rrcount}.on-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n" + grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 + grep "RRSIG" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 4e46453035003272e5d74ff671e065957a35ca6c Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 31 May 2024 13:08:38 +0200 Subject: [PATCH 15/19] Add new test cases with DNSSEC signing kasp-max-types-per-name (named2.conf.in): An unsigned zone with RR type count on a name right below the configured limit. Then sign the zone using KASP. Adding a RRSIG would push it over the RR type limit per name. Signing should fail, but the server should not crash, nor end up in infinite resign-attempt loop. kasp-max-records-per-type-dnskey (named1.conf.in): Test with low max-record-per-rrset limit and a DNSSEC policy requiring more than the limit. Signing should fail. kasp-max-types-per-name (named1.conf.in): Each RRSIG(covered type) is counted as an individual RR type. Test the corner case where a signed zone, which is just below the limit-1, adds a new type - doing so would trigger signing for the new type and thus increase the number of "types" by 2, pushing it over the limit again. --- bin/tests/system/masterformat/ns4/compile.sh | 21 ++++ bin/tests/system/masterformat/ns4/kasp.db | 28 ++++++ .../system/masterformat/ns4/named1.conf.in | 89 +++++++++++++++++ .../system/masterformat/ns4/named2.conf.in | 53 ++++++++++ bin/tests/system/masterformat/ns4/template.db | 28 ++++++ bin/tests/system/masterformat/setup.sh | 4 +- bin/tests/system/masterformat/tests.sh | 97 ++++++++++++++++++- 7 files changed, 318 insertions(+), 2 deletions(-) create mode 100755 bin/tests/system/masterformat/ns4/compile.sh create mode 100644 bin/tests/system/masterformat/ns4/kasp.db create mode 100644 bin/tests/system/masterformat/ns4/named1.conf.in create mode 100644 bin/tests/system/masterformat/ns4/named2.conf.in create mode 100644 bin/tests/system/masterformat/ns4/template.db diff --git a/bin/tests/system/masterformat/ns4/compile.sh b/bin/tests/system/masterformat/ns4/compile.sh new file mode 100755 index 0000000000..9dabc50d5d --- /dev/null +++ b/bin/tests/system/masterformat/ns4/compile.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +for zone in kasp-max-records-per-type \ + kasp-max-records-per-type-dnskey \ + kasp-max-types-per-name; do + $CHECKZONE -D -F raw -o $zone.db.raw $zone template.db >/dev/null 2>&1 +done diff --git a/bin/tests/system/masterformat/ns4/kasp.db b/bin/tests/system/masterformat/ns4/kasp.db new file mode 100644 index 0000000000..2da30073d7 --- /dev/null +++ b/bin/tests/system/masterformat/ns4/kasp.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +mx MX 10 mail +a A 10.53.0.1 +aaaa AAAA 2001:db8::53 +cname CNAME cname-target +dname DNAME dname-target +txt TXT "this is text" diff --git a/bin/tests/system/masterformat/ns4/named1.conf.in b/bin/tests/system/masterformat/ns4/named1.conf.in new file mode 100644 index 0000000000..0adc4e9236 --- /dev/null +++ b/bin/tests/system/masterformat/ns4/named1.conf.in @@ -0,0 +1,89 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + pid-file "named.pid"; + listen-on port @PORT@ { 10.53.0.4; }; + port @PORT@; + listen-on-v6 { none; }; + recursion no; + notify no; + session-keyfile "session.key"; + servfail-ttl 0; + dnssec-validation no; + + /* Ridicously low on purpose */ + max-records-per-type 1; + max-types-per-name 11; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +dnssec-policy "masterformat" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +/* + * This one should be okay, since the default policy only introduces one DNSKEY + * and each signature covering a different type is considered a separate RRset. + */ +zone "kasp-max-records-per-type" { + type primary; + file "kasp-max-records-per-type.db.raw"; + masterfile-format raw; + dnssec-policy "default"; + inline-signing no; + allow-update { any; }; + allow-transfer { any; }; +}; + +/* + * This one uses a ZSK / KSK, so that is two records in one RRset, + * thus it should fail to sign. + */ +zone "kasp-max-records-per-type-dnskey" { + type primary; + file "kasp-max-records-per-type-dnskey.db.raw"; + masterfile-format raw; + dnssec-policy "masterformat"; + inline-signing no; + allow-update { any; }; + allow-transfer { any; }; +}; + +/* + * The template zone is fine and should be possible to sign, but when + * adding an extra type to the apex the max-types-per-name will be exceeded, + * meaning the update should fail. + */ +zone "kasp-max-types-per-name" { + type primary; + file "kasp-max-types-per-name.db.raw"; + masterfile-format raw; + dnssec-policy "default"; + inline-signing no; + allow-update { any; }; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/masterformat/ns4/named2.conf.in b/bin/tests/system/masterformat/ns4/named2.conf.in new file mode 100644 index 0000000000..fb810ccf71 --- /dev/null +++ b/bin/tests/system/masterformat/ns4/named2.conf.in @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + pid-file "named.pid"; + listen-on port @PORT@ { 10.53.0.4; }; + port @PORT@; + listen-on-v6 { none; }; + recursion no; + notify no; + session-keyfile "session.key"; + servfail-ttl 0; + dnssec-validation no; + + /* Ridicously low on purpose */ + max-records-per-type 1; + max-types-per-name 9; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* + * The template zone is fine, but when adding the DNSSEC records to the apex, + * the max-types-per-name will be exceeded, meaning signing should fail. + */ +zone "kasp-max-types-per-name" { + type primary; + file "kasp-max-types-per-name.db.raw"; + masterfile-format raw; + dnssec-policy "default"; + inline-signing no; + allow-update { any; }; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/masterformat/ns4/template.db b/bin/tests/system/masterformat/ns4/template.db new file mode 100644 index 0000000000..2da30073d7 --- /dev/null +++ b/bin/tests/system/masterformat/ns4/template.db @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 1D + +@ IN SOA ns hostmaster ( + 1 + 3600 + 1800 + 1814400 + 3 + ) + NS ns +ns A 10.53.0.1 +mx MX 10 mail +a A 10.53.0.1 +aaaa AAAA 2001:db8::53 +cname CNAME cname-target +dname DNAME dname-target +txt TXT "this is text" diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh index e4cc52b085..f5d52cf23b 100755 --- a/bin/tests/system/masterformat/setup.sh +++ b/bin/tests/system/masterformat/setup.sh @@ -19,6 +19,7 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named1.conf.in ns4/named.conf cp ns1/example.db ns2/ cp ns2/formerly-text.db.in ns2/formerly-text.db @@ -57,4 +58,5 @@ for ntype in $(seq 65280 65534); do echo "m TYPE${ntype} \# 0" done >>ns1/255types.db echo "m TXT bunny" >>ns1/255types.db -cd ns1 && $SHELL compile.sh +(cd ns1 && $SHELL compile.sh) +(cd ns4 && $SHELL compile.sh) diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh index 8308c38f3d..f420de25a0 100755 --- a/bin/tests/system/masterformat/tests.sh +++ b/bin/tests/system/masterformat/tests.sh @@ -301,7 +301,6 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) - echo_i "checking that over-limit rdatasets not loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 @@ -316,6 +315,102 @@ n=$((n + 1)) [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) +echo_i "checking that kasp-max-records-per-type rdatasets loaded ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrtype in soa dnskey ns; do + $DIG +tcp +dnssec $rrtype "kasp-max-records-per-type" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n" + grep "status: NOERROR" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1 + grep "RRSIG" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that kasp-max-records-per-type-dnskey rdatasets not signed ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrtype in soa dnskey ns; do + $DIG +tcp +dnssec $rrtype "kasp-max-records-per-type-dnskey" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n" + grep "status: NOERROR" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1 + grep "RRSIG" "dig.out.ns4.$rrtype.test$n" >/dev/null && ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that kasp-max-types-per-name rdatasets loaded ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrtype in soa dnskey ns; do + $DIG +tcp +dnssec $rrtype "kasp-max-types-per-name" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n" + grep "status: NOERROR" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1 + grep "RRSIG" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +# Update zone with nsupdate. +n=$((n + 1)) +echo_i "add new type to zone and check that it fails ($n)" +ret=0 +( + echo zone kasp-max-types-per-name. + echo server 10.53.0.4 "$PORT" + echo update add kasp-max-types-per-name. 300 TXT KAPUTT + echo send +) | $NSUPDATE && ret=1 +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "checking that kasp-max-types-per-name rdatasets loaded ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrtype in soa dnskey ns txt; do + $DIG +tcp +dnssec $rrtype "kasp-max-types-per-name" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n" + grep "status: NOERROR" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1 + grep "KAPUTT" "dig.out.ns4.$rrtype.test$n" >/dev/null && ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +# Reconfigure ns4 +echo_i "reconfigure ns4" +stop_server ns4 +copy_setports ns4/named2.conf.in ns4/named.conf +# Recompile zone +$CHECKZONE -D -F raw -o ns4/kasp.db.raw kasp-max-types-per-name ns4/template.db >/dev/null 2>&1 +start_server --noclean --restart --port "${PORT}" ns4 + +echo_i "checking that kasp-max-types-per-name rdatasets not loaded ($n)" +for _attempt in 0 1 2 3 4 5 6 7 8 9; do + ret=0 + for rrtype in soa dnskey ns; do + $DIG +tcp +dnssec $rrtype "kasp-max-types-per-name" @10.53.0.4 -p "${PORT}" >"dig.out.ns4.$rrtype.test$n" + grep "status: SERVFAIL" "dig.out.ns4.$rrtype.test$n" >/dev/null || ret=1 + done + [ $ret -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + echo_i "checking that 255 types are loaded ($n)" for _attempt in 0 1 2 3 4 5 6 7 8 9; do ret=0 From 7dd6b47ace3f43ebcd72c382bcb5f962f8f32af7 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 31 May 2024 17:16:29 -0700 Subject: [PATCH 16/19] fix a memory leak that could occur when signing when signatures were not added because of too many types already existing at a node, the diff was not being cleaned up; this led to a memory leak being reported at shutdown. --- lib/dns/zone.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 9f152a7c02..f8c0723ff6 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9743,6 +9743,7 @@ cleanup: } dns_diff_clear(&_sig_diff); + dns_diff_clear(&post_diff); for (i = 0; i < nkeys; i++) { dst_key_free(&zone_keys[i]); From 82635e56d87ca4bacd18ca7debacc71bdef30e74 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 3 Jun 2024 07:56:21 +0200 Subject: [PATCH 17/19] Log error when update fails The new "too many records" error can make an update fail without the error being logged. This commit fixes that. --- lib/ns/update.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/lib/ns/update.c b/lib/ns/update.c index dfecd4262f..e5e602983b 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -3160,9 +3160,18 @@ update_action(void *arg) { dns_diff_clear(&ctx.add_diff); goto failure; } - CHECK(update_one_rr(db, ver, &diff, - DNS_DIFFOP_ADD, - name, ttl, &rdata)); + result = update_one_rr( + db, ver, &diff, DNS_DIFFOP_ADD, + name, ttl, &rdata); + if (result != ISC_R_SUCCESS) { + update_log(client, zone, + LOGLEVEL_PROTOCOL, + "adding an RR " + "failed: %s", + isc_result_totext( + result)); + goto failure; + } } } } else if (update_class == dns_rdataclass_any) { From c1ac8b6ad01a89af398902048ace38c9a3c12754 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 3 Jun 2024 08:00:27 +0200 Subject: [PATCH 18/19] Log rekey failure as error if too many records By default we log a rekey failure on debug level. We should probably change the log level to error. We make an exception for when the zone is not loaded yet, it often happens at startup that a rekey is run before the zone is fully loaded. --- lib/dns/zone.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index f8c0723ff6..ce803abf0b 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -22498,7 +22498,11 @@ failure: * Something went wrong; try again in ten minutes or * after a key refresh interval, whichever is shorter. */ - dnssec_log(zone, ISC_LOG_DEBUG(3), + int loglevel = ISC_LOG_DEBUG(3); + if (result != DNS_R_NOTLOADED) { + loglevel = ISC_LOG_ERROR; + } + dnssec_log(zone, loglevel, "zone_rekey failure: %s (retry in %u seconds)", isc_result_totext(result), ISC_MIN(zone->refreshkeyinterval, 600)); From 1bf7795b389fb6847a46ba801e85ad715d6403cb Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 23 May 2024 19:16:54 -0700 Subject: [PATCH 19/19] Add CHANGES and release note for [GL #3403] --- CHANGES | 16 ++++++++++++++++ doc/notes/notes-current.rst | 15 +++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/CHANGES b/CHANGES index 3165203b82..c8e043e514 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,19 @@ +6401. [security] An excessively large number of rrtypes per owner can + slow down database query processing, so a limit has been + placed on the number of rrtypes that can be stored per + owner (node) in a cache or zone database. This is + configured with the new "max-rrtypes-per-name" option, + and defaults to 100. (CVE-2024-1737) + [GL #3403] [GL #4548] + +6400. [security] Excessively large rdatasets can slow down database + query processing, so a limit has been placed on the + number of records that can be stored per rdataset + in a cache or zone database. This is configured + with the new "max-records-per-type" option, and + defaults to 100. (CVE-2024-1737) + [GL #497] [GL #3405] + 6399. [security] Malicious DNS client that sends many queries over TCP but never reads responses can cause server to respond slowly or not respond at all for other diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 1cda5eeab3..88b0fd75fa 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -19,6 +19,21 @@ Security Fixes responses can cause server to respond slowly or not respond at all for other clients. :cve:`2024-0760` :gl:`#4481` +- Excessively large resource record sets can be crafted to slow down + database processing. This has been addressed by adding a configurable + limit to the number of records that can be stored per name and type in + a cache or zone database. The default is 100, but it can be tuned with + the new ``max-records-per-type`` option. :gl:`#497` :gl:`#3405` + + An excessively large number of resource record types for a single owner name can + be crafted to slow down database processing. This has been addressed by adding + a configurable limit to the number of records that can be stored per name and + type in a cache or zone database. The default is 100, and can be tuned with + the new ``max-rrtypes-per-name`` option. :cve:`2024-1737` :gl:`#3403` + + ISC would like to thank Toshifumi Sakaguchi who independently discovered + and responsibly reported the issue to ISC. :gl:`#4548` + New Features ~~~~~~~~~~~~