implement 'max-query-restarts'

implement, document, and test the 'max-query-restarts' option which specifies the query restart limit - the number of times we can follow CNAMEs before terminating resolution.
2024-06-25 23:49:00 -07:00
parent 7e3b425dc2
commit 104f3b82fb
9 changed files with 60 additions and 8 deletions
--- a/bin/tests/system/chain/ns7/named.conf.in
+++ b/bin/tests/system/chain/ns7/named.conf.in
@@ -37,11 +37,28 @@ key rndc_key {
 	algorithm @DEFAULT_HMAC@;
 };

+key restart16 {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
 controls {
 	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };

-zone "." {
-	type hint;
-	file "root.hint";
+view restart16 {
+	match-clients { key restart16; none; };
+	max-query-restarts 16;
+
+	zone "." {
+		type hint;
+		file "root.hint";
+	};
+};
+
+view default {
+	zone "." {
+		type hint;
+		file "root.hint";
+	};
 };
--- a/bin/tests/system/chain/tests.sh
+++ b/bin/tests/system/chain/tests.sh
@@ -442,11 +442,13 @@ n=$((n + 1))
 echo_i "checking CNAME loops are detected (resolver) ($n)"
 ret=0
 $RNDCCMD 10.53.0.7 null --- start test$n --- 2>&1 | sed 's/^/ns7 /' | cat_i
-$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.test$n
-grep "status: SERVFAIL" dig.out.test$n >/dev/null || ret=1
-grep "ANSWER: 0" dig.out.test$n >/dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
+$DIG $DIGOPTS @10.53.0.7 loop.example >dig.out.1.test$n
+grep "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1
+grep "ANSWER: 12" dig.out.1.test$n >/dev/null || ret=1
+# also check with max-query-restarts 16:
+$DIG $DIGOPTS @10.53.0.7 -y "${DEFAULT_HMAC}:restart16:1234abcd8765" loop.example >dig.out.2.test$n
+grep "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1
+grep "ANSWER: 17" dig.out.2.test$n >/dev/null || ret=1

 n=$((n + 1))
 echo_i "checking CNAME loops are detected (auth) ($n)"
--- a/bin/tests/system/checkconf/good.conf.in
+++ b/bin/tests/system/checkconf/good.conf.in
@@ -81,6 +81,7 @@ options {
 	check-names primary warn;
 	check-names secondary ignore;
 	max-cache-size 20000000000000;
+	max-query-restarts 10;
 	nta-lifetime 604800;
 	nta-recheck 604800;
 	validate-except {
@@ -112,6 +113,7 @@ view "first" {
 		max-ixfr-ratio unlimited;
 	};
 	dnssec-validation auto;
+	max-query-restarts 15;
 	zone-statistics terse;
 };
 view "second" {