From 15922a507d422e2d2ea98484f0cab08343fe7b86 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 12 Mar 2025 16:48:54 +0100
Subject: [PATCH 1/3] Update max-clients-per-query documentation

The new intended behavior is that 'max-clients-per-query' value is
raised to equal 'clients-per-query' if it is lower.

(cherry picked from commit f50753f303e8969610f28f3a64f81be4b5f5594b)
---
 doc/arm/reference.rst | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index de79b3d027..75a46f0bff 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3804,9 +3804,13 @@ system.
    after 20 minutes if it has remained unchanged.
 
    If :any:`max-clients-per-query` is set to zero, there is no upper bound, other
-   than that imposed by :any:`recursive-clients`. If :any:`clients-per-query` is
-   set to zero, :any:`max-clients-per-query` no longer applies and there is no
-   upper bound, other than that imposed by :any:`recursive-clients`.
+   than that imposed by :any:`recursive-clients`. If the option is set to a
+   lower value than :any:`clients-per-query`, the value is adjusted to
+   :any:`clients-per-query`.
+
+   If :any:`clients-per-query` is set to zero, :any:`max-clients-per-query` no
+   longer applies and there is no upper bound, other than that imposed by
+   :any:`recursive-clients`.
 
 .. namedconf:statement:: max-validations-per-fetch
    :tags: server

From 41cc6eeaaf458828fe9ba2207811f97fcd3eb5f7 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 13 Mar 2025 09:27:41 +0100
Subject: [PATCH 2/3] Test new max-clients-per-query log warning

Make sure the new warning is logged.

(cherry picked from commit 1f674ef42eda5d55d113b3e05e5e638a27af703d)
---
 .../system/fetchlimit/ns5/named3.conf.in      | 52 +++++++++++++++++++
 bin/tests/system/fetchlimit/tests.sh          |  9 ++++
 2 files changed, 61 insertions(+)
 create mode 100644 bin/tests/system/fetchlimit/ns5/named3.conf.in

diff --git a/bin/tests/system/fetchlimit/ns5/named3.conf.in b/bin/tests/system/fetchlimit/ns5/named3.conf.in
new file mode 100644
index 0000000000..7fb1bafd80
--- /dev/null
+++ b/bin/tests/system/fetchlimit/ns5/named3.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+	notify yes;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-client-timeout 0;
+	/* max-clients-per-query < clients-per-query */
+	clients-per-query 10;
+	max-clients-per-query 5;
+};
+
+trust-anchors { };
+
+server 10.53.0.4 {
+	edns no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
diff --git a/bin/tests/system/fetchlimit/tests.sh b/bin/tests/system/fetchlimit/tests.sh
index 9a5bdc20bd..0909f57a22 100644
--- a/bin/tests/system/fetchlimit/tests.sh
+++ b/bin/tests/system/fetchlimit/tests.sh
@@ -328,5 +328,14 @@ echo_i "$zspill clients spilled (expected $expected)"
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking a warning is logged if max-clients-per-query < clients-per-query ($n)"
+ret=0
+copy_setports ns5/named3.conf.in ns5/named.conf
+rndc_reconfig ns5 10.53.0.5
+wait_for_message ns5/named.run "configured clients-per-query (10) exceeds max-clients-per-query (5); automatically adjusting max-clients-per-query to (10)" || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

From c5b8e1f5a134ec5a6ad6867510d832bad1bf10f7 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 13 Mar 2025 09:28:37 +0100
Subject: [PATCH 3/3] Raise max-clients-per-query to be at least

In the case where 'clients-per-query' is larger than
'max-clients-per-query', raise 'max-clients-per-query' so that
'clients-per-query' equals 'max-clients-per-query' and log a warning
that this is what happened.

(cherry picked from commit f6f9645ed14660225786bd1eeae2b8345ad38b6d)
---
 bin/named/server.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c
index f11a4e97e0..036799831b 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4191,7 +4191,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	uint32_t maxbits;
 	unsigned int resopts = 0;
 	dns_zone_t *zone = NULL;
-	uint32_t max_clients_per_query;
+	uint32_t clients_per_query, max_clients_per_query;
 	bool empty_zones_enable;
 	const cfg_obj_t *disablelist = NULL;
 	isc_stats_t *resstats = NULL;
@@ -5621,15 +5621,26 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	INSIST(result == ISC_R_SUCCESS);
 	view->v6bias = cfg_obj_asuint32(obj) * 1000;
 
+	obj = NULL;
+	result = named_config_get(maps, "clients-per-query", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	clients_per_query = cfg_obj_asuint32(obj);
+
 	obj = NULL;
 	result = named_config_get(maps, "max-clients-per-query", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	max_clients_per_query = cfg_obj_asuint32(obj);
 
-	obj = NULL;
-	result = named_config_get(maps, "clients-per-query", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_resolver_setclientsperquery(view->resolver, cfg_obj_asuint32(obj),
+	if (max_clients_per_query < clients_per_query) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "configured clients-per-query (%u) exceeds "
+			    "max-clients-per-query (%u); automatically "
+			    "adjusting max-clients-per-query to (%u)",
+			    clients_per_query, max_clients_per_query,
+			    clients_per_query);
+		max_clients_per_query = clients_per_query;
+	}
+	dns_resolver_setclientsperquery(view->resolver, clients_per_query,
 					max_clients_per_query);
 
 	/*