Permalink
Browse files

limit NSEC3 iterations in bindbackend

  • Loading branch information...
1 parent 665ac8c commit d33ba8ebf1ef29157740bfaa82c4e114785bbe5b @mind04 mind04 committed with mind04 Sep 5, 2015
Showing with 9 additions and 5 deletions.
  1. +1 −0 modules/bindbackend/bindbackend2.hh
  2. +8 −5 modules/bindbackend/binddnssec.cc
@@ -39,6 +39,7 @@
#include "pdns/lock.hh"
#include "pdns/misc.hh"
#include "pdns/dnsbackend.hh"
+#include "pdns/logger.hh"
#include "pdns/namespaces.hh"
using namespace ::boost::multi_index;
@@ -108,16 +108,19 @@ bool Bind2Backend::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
getDomainMetadata(zname, "NSEC3PARAM", meta);
if(!meta.empty())
value=*meta.begin();
-
- if(value.empty()) { // "no NSEC3"
- return false;
- }
-
+ else
+ return false; // "no NSEC3"
+
+ static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
if(ns3p) {
NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
*ns3p = *tmp;
delete tmp;
}
+ if (ns3p->d_iterations > maxNSEC3Iterations) {
+ ns3p->d_iterations = maxNSEC3Iterations;
+ L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is above 'max-nsec3-iterations'. Value adjsted to: "<<maxNSEC3Iterations<<endl;
+ }
return true;
}

0 comments on commit d33ba8e

Please sign in to comment.