From af7db8951364a89c468eda1535efb3f53adc2c1f Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 22 May 2024 15:17:47 -0700 Subject: [PATCH] apply max-recursion-queries quota to validator queries previously, validator queries for DNSKEY and DS records were not counted toward the quota for max-recursion-queries; they are now. --- lib/dns/include/dns/validator.h | 15 ++++++++------- lib/dns/resolver.c | 2 +- lib/dns/validator.c | 17 +++++++++++++---- 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index c68c5555b9..02058d115b 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -146,12 +146,13 @@ struct dns_validator { unsigned int authfail; isc_stdtime_t start; - bool digest_sha1; - bool supported_algorithm; - dns_rdata_t rdata; - bool resume; - uint32_t *nvalidations; - uint32_t *nfails; + bool digest_sha1; + bool supported_algorithm; + dns_rdata_t rdata; + bool resume; + uint32_t *nvalidations; + uint32_t *nfails; + isc_counter_t *qc; }; /*% @@ -170,7 +171,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_message_t *message, unsigned int options, isc_loop_t *loop, isc_job_cb cb, void *arg, uint32_t *nvalidations, uint32_t *nfails, - dns_validator_t **validatorp); + isc_counter_t *qc, dns_validator_t **validatorp); /*%< * Start a DNSSEC validation. * diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index ee85b1e017..a7eb821ced 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -991,7 +991,7 @@ valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo, result = dns_validator_create( fctx->res->view, name, type, rdataset, sigrdataset, message, valoptions, fctx->loop, validated, valarg, &fctx->nvalidations, - &fctx->nfails, &validator); + &fctx->nfails, fctx->qc, &validator); RUNTIME_CHECK(result == ISC_R_SUCCESS); inc_stats(fctx->res, dns_resstatscounter_val); if ((valoptions & DNS_VALIDATOR_DEFER) == 0) { diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 7c4135b61c..814551d759 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -16,6 +16,7 @@ #include #include +#include #include #include #include @@ -974,9 +975,10 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, (DNS_VALIDATOR_NOCDFLAG | DNS_VALIDATOR_NONTA)); validator_logcreate(val, name, type, caller, "validator"); - result = dns_validator_create( - val->view, name, type, rdataset, sig, NULL, vopts, val->loop, - cb, val, val->nvalidations, val->nfails, &val->subvalidator); + result = dns_validator_create(val->view, name, type, rdataset, sig, + NULL, vopts, val->loop, cb, val, + val->nvalidations, val->nfails, val->qc, + &val->subvalidator); if (result == ISC_R_SUCCESS) { dns_validator_attach(val, &val->subvalidator->parent); val->subvalidator->depth = val->depth + 1; @@ -3355,7 +3357,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_message_t *message, unsigned int options, isc_loop_t *loop, isc_job_cb cb, void *arg, uint32_t *nvalidations, uint32_t *nfails, - dns_validator_t **validatorp) { + isc_counter_t *qc, dns_validator_t **validatorp) { isc_result_t result = ISC_R_FAILURE; dns_validator_t *val = NULL; dns_keytable_t *kt = NULL; @@ -3395,6 +3397,10 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_message_attach(message, &val->message); } + if (qc != NULL) { + isc_counter_attach(qc, &val->qc); + } + val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name); dns_rdataset_init(&val->fdsset); dns_rdataset_init(&val->frdataset); @@ -3470,6 +3476,9 @@ destroy_validator(dns_validator_t *val) { if (val->message != NULL) { dns_message_detach(&val->message); } + if (val->qc != NULL) { + isc_counter_detach(&val->qc); + } dns_view_detach(&val->view); isc_mem_put(mctx, val, sizeof(*val)); }