|
 |
1d9581 |
From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001
|
|
|
1d9581 |
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
|
|
1d9581 |
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
|
|
1d9581 |
Subject: [PATCH] Bound the amount of work performed for delegations
|
|
|
1d9581 |
|
|
|
1d9581 |
Limit the amount of database lookups that can be triggered in
|
|
|
1d9581 |
fctx_getaddresses() (i.e. when determining the name server addresses to
|
|
|
1d9581 |
query next) by setting a hard limit on the number of NS RRs processed
|
|
|
1d9581 |
for any delegation encountered. Without any limit in place, named can
|
|
|
1d9581 |
be forced to perform large amounts of database lookups per each query
|
|
|
1d9581 |
received, which severely impacts resolver performance.
|
|
|
1d9581 |
|
|
|
1d9581 |
The limit used (20) is an arbitrary value that is considered to be big
|
|
|
1d9581 |
enough for any sane DNS delegation.
|
|
|
1d9581 |
|
|
|
1d9581 |
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
|
|
1d9581 |
(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8)
|
|
|
1d9581 |
---
|
|
|
1d9581 |
lib/dns/resolver.c | 12 ++++++++++++
|
|
|
1d9581 |
1 file changed, 12 insertions(+)
|
|
|
1d9581 |
|
|
|
1d9581 |
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
|
|
1d9581 |
index 8ae9a993bb..ac9a9ef5d0 100644
|
|
|
1d9581 |
--- a/lib/dns/resolver.c
|
|
|
1d9581 |
+++ b/lib/dns/resolver.c
|
|
|
1d9581 |
@@ -180,6 +180,12 @@
|
|
|
1d9581 |
*/
|
|
|
1d9581 |
#define NS_FAIL_LIMIT 4
|
|
|
1d9581 |
#define NS_RR_LIMIT 5
|
|
|
1d9581 |
+/*
|
|
|
1d9581 |
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
|
|
1d9581 |
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
|
|
1d9581 |
+ * large delegations.
|
|
|
1d9581 |
+ */
|
|
|
1d9581 |
+#define NS_PROCESSING_LIMIT 20
|
|
|
1d9581 |
|
|
|
1d9581 |
/* Number of hash buckets for zone counters */
|
|
|
1d9581 |
#ifndef RES_DOMAIN_BUCKETS
|
|
|
1d9581 |
@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
|
|
1d9581 |
bool need_alternate = false;
|
|
|
1d9581 |
bool all_spilled = true;
|
|
|
1d9581 |
unsigned int no_addresses = 0;
|
|
|
1d9581 |
+ unsigned int ns_processed = 0;
|
|
|
1d9581 |
|
|
|
1d9581 |
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
|
|
1d9581 |
|
|
|
1d9581 |
@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
|
|
1d9581 |
|
|
|
1d9581 |
dns_rdata_reset(&rdata);
|
|
|
1d9581 |
dns_rdata_freestruct(&ns);
|
|
|
1d9581 |
+
|
|
|
1d9581 |
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
|
|
1d9581 |
+ result = ISC_R_NOMORE;
|
|
|
1d9581 |
+ break;
|
|
|
1d9581 |
+ }
|
|
|
1d9581 |
}
|
|
|
1d9581 |
if (result != ISC_R_NOMORE) {
|
|
|
1d9581 |
return (result);
|
|
|
1d9581 |
--
|
|
|
1d9581 |
2.37.3
|
|
|
1d9581 |
|