3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
These options are not available by default;
use "configure --enable-fetchlimit" (or
--enable-developer) to include them in the build.
See the ARM for details of these options. [RT #37125]
This incorporates the following changes, plus a new configure
option "--enable-rrl" to turn them on:
3575. [func] Changed the logging category for RRL events from
'queries' to 'query-errors'. [RT #33540]
3554. [bug] RRL failed to correctly rate-limit upward
referrals and failed to count dropped error
responses in the statistics. [RT #33225]
3545. [bug] RRL slip behavior was incorrect when set to 1.
[RT #33111]
3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
so that all dns_rrl_rtype_t enum values fit regardless
of whether it is teated as signed or unsigned by
the compiler. [RT #32792]
3494. [func] DNS RRL: Blunt the impact of DNS reflection and
amplification attacks by rate-limiting substantially-
identical responses. To enable, use "configure
--enable-rrl". [RT #28130]
- fix precedence among competing rules
- improve ARM text including documenting rule precedence
- try to rewrite CNAME chains until first hit
- new "rpz" logging channel
- same fix for "NS ." as in RT 24985
an internal cache framework for additional section
content to improve response performance. Several
configuration options were provided to control the
behavior.
Cleanup of redundant/useless header file inclusion.
ISC style lint, primarily for function declarations and standalone
comments -- ie, those that appear on a line without any code, which
should be written as follows:
/*
* This is a comment.
*/
return an isc_logconfig_t. isc_log_cretechannel and isc_log_usechannel
now take an isc_logconfig_t instead of an isc_log_t; this is to address
reconfiguration in a multithreaded environment.
isc_logconfig_create, isc_logconfig_get, isc_logconfig_use and
isc_logconfig_destroy were added to work with the new isc_logconfig_t type.
isc_logregister_categories and dns_log_init are now both void rather than
returning isc_result_t.
