- Add iter-scrub-ns, iter-scrub-cname and max-global-quota

configuration options.
NLnetLabs · Aug 20, 2024 · 3d350fa · 3d350fa
1 parent 015b2b0
commit 3d350fa
Show file tree

Hide file tree

Showing 11 changed files with 2,326 additions and 10 deletions.
diff --git a/doc/Changelog b/doc/Changelog
@@ -1,3 +1,7 @@
+20 August 2024: Wouter
+	- Add iter-scrub-ns, iter-scrub-cname and max-global-quota
+	  configuration options.
+
 19 August 2024: Wouter
 	- Fix #1126: unbound-control-setup hangs while testing for openssl
 	  presence starting from version 1.21.0.

diff --git a/doc/example.conf.in b/doc/example.conf.in
@@ -187,6 +187,15 @@ server:
 	# query upon encountering a CNAME record.
 	# max-query-restarts: 11
 
+	# Limit on number of NS records in NS RRset for incoming packets.
+	# iter-scrub-ns: 20
+
+	# Limit on number of CNAME, DNAME records for incoming packets.
+	# iter-scrub-cname: 11
+
+	# Limit on upstream queries for an incoming query and its recursion.
+	# max-global-quota: 128
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
@@ -1957,6 +1957,23 @@ Changing this value needs caution as it can allow long CNAME chains to be
 accepted, where Unbound needs to verify (resolve) each link individually.
 Default is 11.
 .TP 5
+.B iter\-scrub\-ns: \fI<number>
+Limit on the number of NS records allowed in an rrset of type NS, from the
+iterator scrubber. This protects the internals of the resolver from overly
+large NS sets. Default is 20.
+.TP 5
+.B iter\-scrub\-cname: \fI<number>
+Limit on the number of CNAME, DNAME records in an answer, from the iterator
+scrubber. This protects the internals of the resolver from overly long
+indirection chains. Clips off the remainder of the reply packet at that point.
+Default is 11.
+.TP 5
+.B max\-global\-quota: \fI<number>
+Limit on the number of upstream queries sent out for an incoming query and
+its subqueries from recursion. It is not reset during the resolution. When
+it is exceeded the query is failed and the lookup process stops.
+Default is 128.
+.TP 5
 .B fast\-server\-permil: \fI<number>
 Specify how many times out of 1000 to pick from the set of fastest servers.
 0 turns the feature off.  A value of 900 would pick from the fastest

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
@@ -443,7 +443,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 	prev = NULL;
 	rrset = msg->rrset_first;
 	while(rrset && rrset->section == LDNS_SECTION_ANSWER) {
-		if(cname_length > 11 /* env->cfg.iter_scrub_cname */) {
+		if(cname_length > env->cfg->iter_scrub_cname) {
 			/* Too many CNAMEs, or DNAMEs, from the authority
 			 * server, scrub down the length to something
 			 * shorter. This deletes everything after the limit
@@ -562,8 +562,8 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 					dname_pkt_compare(pkt, oldsname,
 					rrset->dname) == 0) {
 					if(rrset->type == LDNS_RR_TYPE_NS &&
-						rrset->rr_count > 20 /* env->cfg->iter_scrub_ns */) {
-						shorten_rrset(pkt, rrset, 20 /* env->cfg->iter_scrub_ns */);
+						rrset->rr_count > env->cfg->iter_scrub_ns) {
+						shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns);
 					}
 					prev = rrset;
 					rrset = rrset->rrset_all_next;
@@ -581,8 +581,8 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 		}
 
 		if(rrset->type == LDNS_RR_TYPE_NS &&
-			rrset->rr_count > 20 /* env->cfg->iter_scrub_ns */) {
-			shorten_rrset(pkt, rrset, 20 /* env->cfg->iter_scrub_ns */);
+			rrset->rr_count > env->cfg->iter_scrub_ns) {
+			shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns);
 		}
 
 		/* Mark the additional names from relevant rrset as OK. */
@@ -641,7 +641,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 					"RRset:", pkt, msg, prev, &rrset);
 				continue;
 			}
-			if(rrset->rr_count > 20 /* env->cfg->iter_scrub_ns */) {
+			if(rrset->rr_count > env->cfg->iter_scrub_ns) {
 				/* If this is not a referral, and the NS RRset
 				 * is signed, then remove it entirely, so
 				 * that when it becomes bogus it does not
@@ -657,7 +657,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 						"RRset:", pkt, msg, prev, &rrset);
 					continue;
 				} else {
-					shorten_rrset(pkt, rrset, 20 /* env->cfg->iter_scrub_ns */);
+					shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns);
 				}
 			}
 		}

diff --git a/iterator/iterator.c b/iterator/iterator.c
@@ -70,6 +70,8 @@
 #include "sldns/parseutil.h"
 #include "sldns/sbuffer.h"
 
+/* number of packets */
+int MAX_GLOBAL_QUOTA = 128;
 /* in msec */
 int UNKNOWN_SERVER_NICENESS = 376;
 /* in msec */

diff --git a/iterator/iterator.h b/iterator/iterator.h
@@ -57,7 +57,7 @@ struct rbtree_type;
 #define MAX_TARGET_COUNT	64
 /** max number of upstream queries for a query and its subqueries, it is
  * never reset. */
-#define MAX_GLOBAL_QUOTA	128
+extern int MAX_GLOBAL_QUOTA;
 /** max number of target lookups per qstate, per delegation point */
 #define MAX_DP_TARGET_COUNT	16
 /** max number of nxdomains allowed for target lookups for a query and