apply max-recursion-queries quota to validator queries

previously, validator queries for DNSKEY and DS records were not counted toward the quota for max-recursion-queries; they are now.
2025-08-30 05:57:52 +00:00 · 2024-05-22 15:17:47 -07:00 · 2024-05-22 15:17:47 -07:00 · af7db89513
commit af7db89513
parent d3b7e92783
3 changed files with 22 additions and 12 deletions
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@ -146,12 +146,13 @@ struct dns_validator {
 	unsigned int  authfail;
 	isc_stdtime_t start;

-	bool	    digest_sha1;
-	bool	    supported_algorithm;
-	dns_rdata_t rdata;
-	bool	    resume;
-	uint32_t   *nvalidations;
-	uint32_t   *nfails;
+	bool	       digest_sha1;
+	bool	       supported_algorithm;
+	dns_rdata_t    rdata;
+	bool	       resume;
+	uint32_t      *nvalidations;
+	uint32_t      *nfails;
+	isc_counter_t *qc;
 };

 /*%
@ -170,7 +171,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		     dns_message_t *message, unsigned int options,
 		     isc_loop_t *loop, isc_job_cb cb, void *arg,
 		     uint32_t *nvalidations, uint32_t *nfails,
-		     dns_validator_t **validatorp);
+		     isc_counter_t *qc, dns_validator_t **validatorp);
 /*%<
 * Start a DNSSEC validation.
 *
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -991,7 +991,7 @@ valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo,
 	result = dns_validator_create(
 		fctx->res->view, name, type, rdataset, sigrdataset, message,
 		valoptions, fctx->loop, validated, valarg, &fctx->nvalidations,
-		&fctx->nfails, &validator);
+		&fctx->nfails, fctx->qc, &validator);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	inc_stats(fctx->res, dns_resstatscounter_val);
 	if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -16,6 +16,7 @@

 #include <isc/async.h>
 #include <isc/base32.h>
+#include <isc/counter.h>
 #include <isc/job.h>
 #include <isc/md.h>
 #include <isc/mem.h>
@ -974,9 +975,10 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 		  (DNS_VALIDATOR_NOCDFLAG | DNS_VALIDATOR_NONTA));

 	validator_logcreate(val, name, type, caller, "validator");
-	result = dns_validator_create(
-		val->view, name, type, rdataset, sig, NULL, vopts, val->loop,
-		cb, val, val->nvalidations, val->nfails, &val->subvalidator);
+	result = dns_validator_create(val->view, name, type, rdataset, sig,
+				      NULL, vopts, val->loop, cb, val,
+				      val->nvalidations, val->nfails, val->qc,
+				      &val->subvalidator);
 	if (result == ISC_R_SUCCESS) {
 		dns_validator_attach(val, &val->subvalidator->parent);
 		val->subvalidator->depth = val->depth + 1;
@ -3355,7 +3357,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		     dns_message_t *message, unsigned int options,
 		     isc_loop_t *loop, isc_job_cb cb, void *arg,
 		     uint32_t *nvalidations, uint32_t *nfails,
-		     dns_validator_t **validatorp) {
+		     isc_counter_t *qc, dns_validator_t **validatorp) {
 	isc_result_t result = ISC_R_FAILURE;
 	dns_validator_t *val = NULL;
 	dns_keytable_t *kt = NULL;
@ -3395,6 +3397,10 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		dns_message_attach(message, &val->message);
 	}

+	if (qc != NULL) {
+		isc_counter_attach(qc, &val->qc);
+	}
+
 	val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
 	dns_rdataset_init(&val->fdsset);
 	dns_rdataset_init(&val->frdataset);
@ -3470,6 +3476,9 @@ destroy_validator(dns_validator_t *val) {
 	if (val->message != NULL) {
 		dns_message_detach(&val->message);
 	}
+	if (val->qc != NULL) {
+		isc_counter_detach(&val->qc);
+	}
 	dns_view_detach(&val->view);
 	isc_mem_put(mctx, val, sizeof(*val));
 }