3590. [bug] When using RRL on recursive servers, defer
rate-limiting until after recursion is complete;
also, use correct rcode for slipped NXDOMAIN
responses. [RT #33604]
(cherry picked from commit 89be55dc90)
This incorporates the following changes, plus a new configure
option "--enable-rrl" to turn them on:
3575. [func] Changed the logging category for RRL events from
'queries' to 'query-errors'. [RT #33540]
3554. [bug] RRL failed to correctly rate-limit upward
referrals and failed to count dropped error
responses in the statistics. [RT #33225]
3545. [bug] RRL slip behavior was incorrect when set to 1.
[RT #33111]
3518. [bug] Increase the size of dns_rrl_key.s.rtype by one bit
so that all dns_rrl_rtype_t enum values fit regardless
of whether it is teated as signed or unsigned by
the compiler. [RT #32792]
3494. [func] DNS RRL: Blunt the impact of DNS reflection and
amplification attacks by rate-limiting substantially-
identical responses. To enable, use "configure
--enable-rrl". [RT #28130]
3528. [func] New "dnssec-coverage" command scans the timing
metadata for a set of DNSSEC keys and reports if a
lapse in signing coverage has been scheduled
inadvertently. (Note: This tool depends on python;
it will not be built or installed on systems that
do not have a python interpreter.) [RT #28098]
(cherry picked from commit 831f59eb43)
3505. [bug] When setting "max-cache-size" and "max-acache-size",
larger values than 4 gigabytes could not be set
explicitly, though larger sizes were available
when setting cache size to 0. This has been
corrected; the full range is now available.
[RT #32358]
(cherry picked from commit 2a184ff865)
3501. [func] zone-statistics now takes three options: full,
terse, and none. "yes" and "no" are retained as
synonyms for full and terse, respectively. [RT #29165]
(cherry picked from commit 40a7e85f3e)
3496. [func] Improvements to RPZ performance. The "response-policy"
syntax now includes a "min-ns-dots" clause, with
default 1, to exclude top-level domains from
NSIP and NSDNAME checking. --enable-rpz-nsip and
--enable-rpz-nsdname are now the default. [RT #32251]
Response policy (rpz) changes to
- add zone statistics
- speed up by adding min-ns-dots to the response-policy syntax
with a default of 1
- detect and reject policy zones with a database other than rbt
only rbtdb has rpz hooks
- allow empty response-policy{} statement
- make --enable-rpz-nsip and --enable-rpz-nsdname the default
