Permalink
Browse files

add option to limit the maximum number of cached signatures

  • Loading branch information...
1 parent 850b048 commit bba84134688e5d1b51ff5dc2bac4016fe737cb7c @mind04 mind04 committed with mind04 Jul 29, 2014
Showing with 19 additions and 1 deletion.
  1. +1 −0 pdns/common_startup.cc
  2. +4 −1 pdns/dnssecsigner.cc
  3. +8 −0 pdns/docs/pdns.xml
  4. +5 −0 pdns/pdns.conf-dist
  5. +1 −0 pdns/pdnssec.cc
@@ -148,6 +148,7 @@ void declareArguments()
::arg().set("setgid","If set, change group id to this gid for more security")="";
::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000";
+ ::arg().set("max-signature-cache-entries", "Maximum number of signatures cache entries")="";
::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
@@ -26,6 +26,7 @@
#include "dnsseckeeper.hh"
#include "dns_random.hh"
#include "lock.hh"
+#include "arguments.hh"
/* this is where the RRSIGs begin, keys are retrieved,
but the actual signing happens in fillOutRRSIG */
@@ -148,8 +149,10 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
WriteLock l(&g_signatures_lock);
/* we add some jitter here so not all your slaves start pruning their caches at the very same millisecond */
int weekno = (time(0) - dns_random(3600)) / (86400*7); // we just spent milliseconds doing a signature, microsecond more won't kill us
+ const static int maxcachesize=::arg().asNum("max-signature-cache-entries", INT_MAX);
- if(g_cacheweekno < weekno) { // blunt but effective (C) Habbie
+ if(g_cacheweekno < weekno || g_signatures.size() >= (uint) maxcachesize) { // blunt but effective (C) Habbie, mind04
+ L<<Logger::Warning<<"Cleared signature cache."<<endl;
g_signatures.clear();
g_cacheweekno = weekno;
}
View
@@ -12831,6 +12831,14 @@ UPDATE records SET auth=1 WHERE auth IS NULL;
</listitem>
</varlistentry>
<varlistentry>
+ <term>max-signature-cache-entries</term>
+ <listitem>
+ <para>
+ Maximum number of signatures cache entries
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>local-address-nonexist-fail</term>
<listitem>
<para>
View
@@ -275,6 +275,11 @@
# max-queue-length=5000
#################################
+# max-signature-cache-entries Maximum number of signatures cache entries
+#
+# max-signature-cache-entries=
+
+#################################
# max-tcp-connections Maximum number of TCP connections
#
# max-tcp-connections=10
View
@@ -138,6 +138,7 @@ void loadMainConfig(const std::string& configdir)
::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
+ ::arg().set("max-signature-cache-entries", "Maximum number of signatures cache entries")="";
::arg().laxFile(configname.c_str());
BackendMakers().launch(::arg()["launch"]); // vrooooom!

0 comments on commit bba8413

Please sign in to comment.