ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Document the SIG(0) signature checking quota options

Browse Source 
Add documentation entries for the 'sig0checks-quota',
'sig0checks-quota-maxwait-ms', and 'sig0checks-quota-exempt'
optoins.
This commit is contained in:
Aram Sargsyan
2024-03-27 15:22:28 +00:00
committed by Nicki Křížek
parent c7f79a0353
commit bbc866d0cb
1 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
doc/arm/reference.rst
View File

@@ -4000,6 +4000,50 @@ system.
the server will accept for updating local authoritiative zones or
forwarding to a primary server. The default is ``100``.
.. namedconf:statement:: sig0checks-quota
:tags: server
:short: Specifies the maximum number of concurrent SIG(0) signature checks that can be processed by the server.
This is the maximum number of simultaneous SIG(0)-signed messages that
the server will accept. If the quota is reached, then :iscman:`named` waits
for the maximum of :any:`sig0checks-quota-maxwait-ms` time for a quota to
appear or to answer with a status code of REFUSED. The value of ``0``
disables the quota. The default is ``1``.
.. note::
:any:`sig0checks-quota` protection does not work when there is only one
worker thread available, or when the option is set to a value that is
greater or equal to the worker threads available. See the ``-n #cpus``
option of :iscman:`named` for more information about the worker threads.
.. namedconf:statement:: sig0checks-quota-maxwait-ms
:tags: server
:short: Specifies the maximum number of milliseconds to wait for a SIG(0) signature checking quota to appear.
When :any:`sig0checks-quota` is effective and a client reaches the quota,
then :iscman:`named` waits for the maximum of
:any:`sig0checks-quota-maxwait-ms` time (in milliseconds) for a quota to
appear. If no quota becomes available, then an answer with a status code of
REFUSED is sent. The default is ``1500``.
.. namedconf:statement:: sig0checks-quota-exempt
:tags: server
:short: Exempts specific clients or client groups from SIG(0) signature checking quota.
DNS clients can be exempted from SIG(0) signature checking quota with the
:any:`sig0checks-quota-exempt` clause using their IP and/or Network
addresses. The default value is an empty list.
Example:
::
sig0checks-quota-exempt {
10.0.0.0/8;
2001:db8::100;
};
.. _intervals:
Periodic Task Intervals