[9.20] fix: usr: Ensure max-clients-per-query is at least clients-per-query

If the `max-clients-per-query` option is set to a lower value than `clients-per-query`, the value is adjusted to match `clients-per-query`. Closes #5224 Backport of MR !10241 Merge branch 'backport-5224-raise-max-clients-per-query-to-be-at-least-9.20' into 'bind-9.20' See merge request isc-projects/bind9!10244
2025-08-29 13:38:26 +00:00 · 2025-03-20 13:57:03 +00:00 · 2025-03-20 13:57:03 +00:00 · 8f78219cc1
commit 8f78219cc1
parent 5de1b3ba3c c5b8e1f5a1
4 changed files with 84 additions and 8 deletions
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -4191,7 +4191,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	uint32_t maxbits;
 	unsigned int resopts = 0;
 	dns_zone_t *zone = NULL;
-	uint32_t max_clients_per_query;
+	uint32_t clients_per_query, max_clients_per_query;
 	bool empty_zones_enable;
 	const cfg_obj_t *disablelist = NULL;
 	isc_stats_t *resstats = NULL;
@ -5621,15 +5621,26 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	INSIST(result == ISC_R_SUCCESS);
 	view->v6bias = cfg_obj_asuint32(obj) * 1000;

+	obj = NULL;
+	result = named_config_get(maps, "clients-per-query", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	clients_per_query = cfg_obj_asuint32(obj);
+
 	obj = NULL;
 	result = named_config_get(maps, "max-clients-per-query", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	max_clients_per_query = cfg_obj_asuint32(obj);

-	obj = NULL;
-	result = named_config_get(maps, "clients-per-query", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_resolver_setclientsperquery(view->resolver, cfg_obj_asuint32(obj),
+	if (max_clients_per_query < clients_per_query) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "configured clients-per-query (%u) exceeds "
+			    "max-clients-per-query (%u); automatically "
+			    "adjusting max-clients-per-query to (%u)",
+			    clients_per_query, max_clients_per_query,
+			    clients_per_query);
+		max_clients_per_query = clients_per_query;
+	}
+	dns_resolver_setclientsperquery(view->resolver, clients_per_query,
 					max_clients_per_query);

 	/*
--- a/bin/tests/system/fetchlimit/ns5/named3.conf.in
+++ b/bin/tests/system/fetchlimit/ns5/named3.conf.in
@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-client-timeout 0;
+	/* max-clients-per-query < clients-per-query */
+	clients-per-query 10;
+	max-clients-per-query 5;
+};
+
+trust-anchors { };
+
+server 10.53.0.4 {
+	edns no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
--- a/bin/tests/system/fetchlimit/tests.sh
+++ b/bin/tests/system/fetchlimit/tests.sh
@ -328,5 +328,14 @@ echo_i "$zspill clients spilled (expected $expected)"
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking a warning is logged if max-clients-per-query < clients-per-query ($n)"
+ret=0
+copy_setports ns5/named3.conf.in ns5/named.conf
+rndc_reconfig ns5 10.53.0.5
+wait_for_message ns5/named.run "configured clients-per-query (10) exceeds max-clients-per-query (5); automatically adjusting max-clients-per-query to (10)" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -3804,9 +3804,13 @@ system.
   after 20 minutes if it has remained unchanged.

   If :any:`max-clients-per-query` is set to zero, there is no upper bound, other
-   than that imposed by :any:`recursive-clients`. If :any:`clients-per-query` is
-   set to zero, :any:`max-clients-per-query` no longer applies and there is no
-   upper bound, other than that imposed by :any:`recursive-clients`.
+   than that imposed by :any:`recursive-clients`. If the option is set to a
+   lower value than :any:`clients-per-query`, the value is adjusted to
+   :any:`clients-per-query`.
+
+   If :any:`clients-per-query` is set to zero, :any:`max-clients-per-query` no
+   longer applies and there is no upper bound, other than that imposed by
+   :any:`recursive-clients`.

 .. namedconf:statement:: max-validations-per-fetch
   :tags: server