mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 18:19:42 +00:00
Code Issues Releases Wiki Activity

Adjust default value of "max-recursion-queries"

Browse Source 
Since the queries sent towards root and TLD servers are now included in
the count (as a result of the fix for CVE-2020-8616),
"max-recursion-queries" has a higher chance of being exceeded by
non-attack queries.  Increase its default value from 75 to 100.
This commit is contained in:
Mark Andrews 2020-11-26 15:59:14 +11:00
parent 1d11013a18
commit ab0bf49203
5 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
5541. [func] Adjust the "max-recursion-queries" default from 75 to
100. [GL #2305]
5540. [port] Fix building with native PKCS#11 support for AEP Keyper. 5540. [port] Fix building with native PKCS#11 support for AEP Keyper.
[GL #2315] [GL #2315]

2
bin/named/config.c
View File

@ -170,7 +170,7 @@ options {\n\
max-clients-per-query 100;\n\ max-clients-per-query 100;\n\
max-ncache-ttl 10800; /* 3 hours */\n\ max-ncache-ttl 10800; /* 3 hours */\n\
max-recursion-depth 7;\n\ max-recursion-depth 7;\n\
max-recursion-queries 75;\n\ max-recursion-queries 100;\n\
max-stale-ttl 43200; /* 12 hours */\n\ max-stale-ttl 43200; /* 12 hours */\n\
message-compression yes;\n\ message-compression yes;\n\
min-ncache-ttl 0; /* 0 hours */\n\ min-ncache-ttl 0; /* 0 hours */\n\

2
doc/arm/reference.rst
View File

@ -3514,7 +3514,7 @@ Tuning
``max-recursion-queries`` ``max-recursion-queries``
This sets the maximum number of iterative queries that may be sent while This sets the maximum number of iterative queries that may be sent while
servicing a recursive query. If more queries are sent, the recursive servicing a recursive query. If more queries are sent, the recursive
query is terminated and returns SERVFAIL. The default is 75. query is terminated and returns SERVFAIL. The default is 100.
``notify-delay`` ``notify-delay``
This sets the delay, in seconds, between sending sets of NOTIFY messages for a This sets the delay, in seconds, between sending sets of NOTIFY messages for a

6
doc/notes/notes-current.rst
View File

@ -41,6 +41,12 @@ Feature Changes
configuration. A new option 'nsec3param' can be used to set the desired configuration. A new option 'nsec3param' can be used to set the desired
NSEC3 parameters, and will detect collisions when resalting. [GL #1620]. NSEC3 parameters, and will detect collisions when resalting. [GL #1620].
- Adjust the ``max-recursion-queries`` default from 75 to 100. Since the
queries sent towards root and TLD servers are now included in the
count (as a result of the fix for CVE-2020-8616), ``max-recursion-queries``
has a higher chance of being exceeded by non-attack queries, which is the
main reason for increasing its default value. [GL #2305]
Bug Fixes Bug Fixes
~~~~~~~~~ ~~~~~~~~~

2
lib/dns/resolver.c
View File

@ -181,7 +181,7 @@
/* The default maximum number of iterative queries to allow before giving up. */ /* The default maximum number of iterative queries to allow before giving up. */
#ifndef DEFAULT_MAX_QUERIES #ifndef DEFAULT_MAX_QUERIES
#define DEFAULT_MAX_QUERIES 75 #define DEFAULT_MAX_QUERIES 100
#endif /* ifndef DEFAULT_MAX_QUERIES */ #endif /* ifndef DEFAULT_MAX_QUERIES */
/* /*