From ab0bf492035c01687dfff8f546b78ac30739348c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 26 Nov 2020 15:59:14 +1100 Subject: [PATCH] Adjust default value of "max-recursion-queries" Since the queries sent towards root and TLD servers are now included in the count (as a result of the fix for CVE-2020-8616), "max-recursion-queries" has a higher chance of being exceeded by non-attack queries. Increase its default value from 75 to 100. --- CHANGES | 3 +++ bin/named/config.c | 2 +- doc/arm/reference.rst | 2 +- doc/notes/notes-current.rst | 6 ++++++ lib/dns/resolver.c | 2 +- 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 9d93b66fdd..1b8f964817 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5541. [func] Adjust the "max-recursion-queries" default from 75 to + 100. [GL #2305] + 5540. [port] Fix building with native PKCS#11 support for AEP Keyper. [GL #2315] diff --git a/bin/named/config.c b/bin/named/config.c index 9b0c6f06e2..437d92ab5b 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -170,7 +170,7 @@ options {\n\ max-clients-per-query 100;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ - max-recursion-queries 75;\n\ + max-recursion-queries 100;\n\ max-stale-ttl 43200; /* 12 hours */\n\ message-compression yes;\n\ min-ncache-ttl 0; /* 0 hours */\n\ diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index bcbbe3d05d..fd40de3837 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3514,7 +3514,7 @@ Tuning ``max-recursion-queries`` This sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive - query is terminated and returns SERVFAIL. The default is 75. + query is terminated and returns SERVFAIL. The default is 100. ``notify-delay`` This sets the delay, in seconds, between sending sets of NOTIFY messages for a diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index c58df5cafb..23dae45db3 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -41,6 +41,12 @@ Feature Changes configuration. A new option 'nsec3param' can be used to set the desired NSEC3 parameters, and will detect collisions when resalting. [GL #1620]. +- Adjust the ``max-recursion-queries`` default from 75 to 100. Since the + queries sent towards root and TLD servers are now included in the + count (as a result of the fix for CVE-2020-8616), ``max-recursion-queries`` + has a higher chance of being exceeded by non-attack queries, which is the + main reason for increasing its default value. [GL #2305] + Bug Fixes ~~~~~~~~~ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index fcfbae17c6..447d85062b 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -181,7 +181,7 @@ /* The default maximum number of iterative queries to allow before giving up. */ #ifndef DEFAULT_MAX_QUERIES -#define DEFAULT_MAX_QUERIES 75 +#define DEFAULT_MAX_QUERIES 100 #endif /* ifndef DEFAULT_MAX_QUERIES */ /*