limit NSEC3 iterations in bindbackend

PowerDNS · Oct 1, 2015 · d33ba8e · d33ba8e
1 parent 665ac8c
commit d33ba8e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/modules/bindbackend/bindbackend2.hh b/modules/bindbackend/bindbackend2.hh
@@ -39,6 +39,7 @@
 #include "pdns/lock.hh"
 #include "pdns/misc.hh"
 #include "pdns/dnsbackend.hh"
+#include "pdns/logger.hh"
 
 #include "pdns/namespaces.hh"
 using namespace ::boost::multi_index;

diff --git a/modules/bindbackend/binddnssec.cc b/modules/bindbackend/binddnssec.cc
@@ -108,16 +108,19 @@ bool Bind2Backend::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
   getDomainMetadata(zname, "NSEC3PARAM", meta);
   if(!meta.empty())
     value=*meta.begin();
-
+  else
-  if(value.empty()) { // "no NSEC3"
+    return false; // "no NSEC3"
-    return false;
+
-  }
+  static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
-
   if(ns3p) {
     NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
     *ns3p = *tmp;
     delete tmp;
   }
+  if (ns3p->d_iterations > maxNSEC3Iterations) {
+    ns3p->d_iterations = maxNSEC3Iterations;
+    L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is above 'max-nsec3-iterations'. Value adjsted to: "<<maxNSEC3Iterations<<endl;
+  }
   return true;
 }