3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
These options are not available by default;
use "configure --enable-fetchlimit" (or
--enable-developer) to include them in the build.
See the ARM for details of these options. [RT #37125]
3686. [func] "dnssec-signzone -Q" drops signatures from keys
that are still published but no longer active.
[RT #34990]
(cherry picked from commit 0bbe3273a2)
This incorporates the following changes, plus a new configure
option "--enable-rrl" to turn them on:
3575. [func] Changed the logging category for RRL events from
'queries' to 'query-errors'. [RT #33540]
3554. [bug] RRL failed to correctly rate-limit upward
referrals and failed to count dropped error
responses in the statistics. [RT #33225]
3545. [bug] RRL slip behavior was incorrect when set to 1.
[RT #33111]
3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
so that all dns_rrl_rtype_t enum values fit regardless
of whether it is teated as signed or unsigned by
the compiler. [RT #32792]
3494. [func] DNS RRL: Blunt the impact of DNS reflection and
amplification attacks by rate-limiting substantially-
identical responses. To enable, use "configure
--enable-rrl". [RT #28130]
3501. [func] zone-statistics now takes three options: full,
terse, and none. "yes" and "no" are retained as
synonyms for full and terse, respectively. [RT #29165]
(cherry picked from commit 40a7e85f3e)
3496. [func] Improvements to RPZ performance. The "response-policy"
syntax now includes a "min-ns-dots" clause, with
default 1, to exclude top-level domains from
NSIP and NSDNAME checking. --enable-rpz-nsip and
--enable-rpz-nsdname are now the default. [RT #32251]
Response policy (rpz) changes to
- add zone statistics
- speed up by adding min-ns-dots to the response-policy syntax
with a default of 1
- detect and reject policy zones with a database other than rbt
only rbtdb has rpz hooks
- allow empty response-policy{} statement
- make --enable-rpz-nsip and --enable-rpz-nsdname the default
3316. [tuning] Improved locking performance when recursing.
[RT #28836]
3315. [tuning] Use multiple dispatch objects for sending upstream
queries; this can improve performance on busy
multiprocessor systems by reducing lock contention.
[RT #28605]
