Permalink
Browse files

merge: implement udp-truncation-threshold to override the previous 16…

…80 byte maximum response datagram size - no matter what EDNS0 said. Plus document it.
  • Loading branch information...
1 parent 6a82ce4 commit d87ded35d9b0694790bafa7957e593e62bd6eb34 @mind04 mind04 committed with mind04 Jul 12, 2013
Showing with 13 additions and 6 deletions.
  1. +2 −1 pdns/common_startup.cc
  2. +3 −5 pdns/dnspacket.cc
  3. +1 −0 pdns/dnspacket.hh
  4. +7 −0 pdns/docs/pdns.xml
@@ -77,7 +77,7 @@ void declareArguments()
::arg().set("recursor","If recursion is desired, IP address of a recursing nameserver")="no";
::arg().set("allow-recursion","List of subnets that are allowed to recurse")="0.0.0.0/0";
::arg().set("pipebackend-abi-version","Version of the pipe backend ABI")="1";
-
+ ::arg().set("udp-truncation-threshold", "Maximum UDP response size before we truncate")="1680";
::arg().set("disable-tcp","Do not listen to TCP queries")="no";
::arg().set("disable-axfr","Do not allow zone transfers")="no";
@@ -341,6 +341,7 @@ void mainthread()
g_anyToTcp = ::arg().mustDo("any-to-tcp");
g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind");
+ DNSPacket::s_udpTruncationThreshold = ::arg().asNum("udp-truncation-threshold");
DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
#ifndef WIN32
View
@@ -18,12 +18,9 @@
#include "utility.hh"
#include <cstdio>
-
#include <cstdlib>
#include <sys/types.h>
-
#include <iostream>
-
#include <string>
#include <errno.h>
#include <boost/tokenizer.hpp>
@@ -45,7 +42,8 @@
#include "ednssubnet.hh"
bool DNSPacket::s_doEDNSSubnetProcessing;
-
+uint16_t DNSPacket::s_udpTruncationThreshold;
+
DNSPacket::DNSPacket()
{
d_wrapped=false;
@@ -495,7 +493,7 @@ try
if(getEDNSOpts(mdp, &edo)) {
d_haveednssection=true;
- d_maxreplylen=std::min(edo.d_packetsize, (uint16_t)1680);
+ d_maxreplylen=std::min(edo.d_packetsize, s_udpTruncationThreshold);
// cerr<<edo.d_Z<<endl;
if(edo.d_Z & EDNSOpts::DNSSECOK)
d_dnssecOk=true;
View
@@ -158,6 +158,7 @@ public:
vector<DNSResourceRecord>& getRRS() { return d_rrs; }
TSIGRecordContent d_trc;
static bool s_doEDNSSubnetProcessing;
+ static uint16_t s_udpTruncationThreshold;
private:
void pasteQ(const char *question, int length); //!< set the question of this packet, useful for crafting replies
View
@@ -15700,6 +15700,13 @@ This setting will make PowerDNS renotify the slaves after an AXFR is *received*
<listitem><para>
IP address of incoming notification proxy
</para></listitem></varlistentry>
+ <varlistentry><term>udp-truncation-threshold=...</term>
+ <listitem><para>
+ EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however
+ also have downsides in terms of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the truncation limit
+ was set at 1680 bytes, regardless of EDNS0 buffer size indications from the client. Beyond 3.3, this setting makes
+ our truncation limit configurable. Maximum value is 65535, but values above 4096 should probably not be attempted.
+ </para></listitem></varlistentry>
<varlistentry><term>urlredirector=...</term>
<listitem><para>
Where we send hosts to that need to be url redirected. See <xref linkend="fancy-records"/>.

0 comments on commit d87ded3

Please sign in to comment.