From 7fe2204a2e8952bf892e4a70fea2ef5167e1f509 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 1 Sep 2022 16:22:46 -0700 Subject: [PATCH] add a configuration option for the update quota add an "update-quota" option to configure the update quota. (cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19) --- bin/named/config.c | 1 + bin/named/named.conf.rst | 9 +++++---- bin/named/server.c | 1 + bin/tests/system/checkconf/good.conf | 1 + doc/arm/reference.rst | 7 ++++++- doc/man/named.conf.5in | 9 +++++---- doc/misc/master.zoneopt.rst | 2 +- doc/misc/options | 1 + doc/misc/options.active | 1 + doc/misc/options.grammar.rst | 3 ++- doc/misc/slave.zoneopt.rst | 2 +- lib/isccfg/namedconf.c | 1 + 12 files changed, 26 insertions(+), 12 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index 5fedee84d9..494147015f 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -130,6 +130,7 @@ options {\n\ transfers-out 10;\n\ transfers-per-ns 2;\n\ trust-anchor-telemetry yes;\n\ + update-quota 100;\n\ \n\ /* view */\n\ allow-new-zones no;\n\ diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index 27eed5ca3e..4c9f9a7370 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -179,7 +179,7 @@ OPTIONS answer-cookie boolean; attach-cache string; auth-nxdomain boolean; // default changed - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off );// deprecated automatic-interface-scan boolean; avoid-v4-udp-ports { portrange; ... }; avoid-v6-udp-ports { portrange; ... }; @@ -446,6 +446,7 @@ OPTIONS trust-anchor-telemetry boolean; // experimental try-tcp-refresh boolean; update-check-ksk boolean; + update-quota integer; use-alt-transfer-source boolean; use-v4-udp-ports { portrange; ... }; use-v6-udp-ports { portrange; ... }; @@ -584,7 +585,7 @@ VIEW * ) ] [ dscp integer ]; attach-cache string; auth-nxdomain boolean; // default changed - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off );// deprecated cache-file quoted_string;// deprecated catalog-zones { zone string [ default-masters [ port integer ] [ dscp integer ] { ( remote-servers | ipv4_address [ port @@ -859,7 +860,7 @@ VIEW integer | * ) ] [ dscp integer ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off );// deprecated check-dup-records ( fail | warn | ignore ); check-integrity boolean; check-mx ( fail | warn | ignore ); @@ -977,7 +978,7 @@ ZONE ] [ dscp integer ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off );// deprecated check-dup-records ( fail | warn | ignore ); check-integrity boolean; check-mx ( fail | warn | ignore ); diff --git a/bin/named/server.c b/bin/named/server.c index 20443ff8a9..78a21d62a2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8542,6 +8542,7 @@ load_configuration(const char *filename, named_server_t *server, configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota); configure_server_quota(maps, "recursive-clients", &server->sctx->recursionquota); + configure_server_quota(maps, "update-quota", &server->sctx->updquota); max = isc_quota_getmax(&server->sctx->recursionquota); if (max > 1000) { diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index b1f7059acf..0ecdb68e95 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -75,6 +75,7 @@ options { recursive-clients 3000; serial-query-rate 100; server-id none; + update-quota 200; check-names primary warn; check-names secondary ignore; max-cache-size 20000000000000; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 2603d60251..703663d0ba 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3151,6 +3151,11 @@ system. value as ``tcp-keepalive-timeout``. This value can be updated at runtime by using ``rndc tcp-timeouts``. +``update-quota`` + This is the maximum number of simultaneous DNS UPDATE messages that + the server will accept for updating local authoritiative zones or + forwarding to a primary server. The default is ``100``. + .. _intervals: Periodic Task Intervals @@ -6840,7 +6845,7 @@ Name Server Statistics Counters ``UpdateQuota`` This indicates the number of times a dynamic update or update forwarding request was rejected because the number of pending - requests exceeded the update quota. + requests exceeded ``update-quota``. ``RateDropped`` This indicates the number of responses dropped due to rate limits. diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 4c46f47592..c87afa2881 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -231,7 +231,7 @@ options { answer\-cookie boolean; attach\-cache string; auth\-nxdomain boolean; // default changed - auto\-dnssec ( allow | maintain | off ); + auto\-dnssec ( allow | maintain | off );// deprecated automatic\-interface\-scan boolean; avoid\-v4\-udp\-ports { portrange; ... }; avoid\-v6\-udp\-ports { portrange; ... }; @@ -498,6 +498,7 @@ options { trust\-anchor\-telemetry boolean; // experimental try\-tcp\-refresh boolean; update\-check\-ksk boolean; + update\-quota integer; use\-alt\-transfer\-source boolean; use\-v4\-udp\-ports { portrange; ... }; use\-v6\-udp\-ports { portrange; ... }; @@ -668,7 +669,7 @@ view string [ class ] { * ) ] [ dscp integer ]; attach\-cache string; auth\-nxdomain boolean; // default changed - auto\-dnssec ( allow | maintain | off ); + auto\-dnssec ( allow | maintain | off );// deprecated cache\-file quoted_string;// deprecated catalog\-zones { zone string [ default\-masters [ port integer ] [ dscp integer ] { ( remote\-servers | ipv4_address [ port @@ -943,7 +944,7 @@ view string [ class ] { integer | * ) ] [ dscp integer ]; alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; - auto\-dnssec ( allow | maintain | off ); + auto\-dnssec ( allow | maintain | off );// deprecated check\-dup\-records ( fail | warn | ignore ); check\-integrity boolean; check\-mx ( fail | warn | ignore ); @@ -1065,7 +1066,7 @@ zone string [ class ] { ] [ dscp integer ]; alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; - auto\-dnssec ( allow | maintain | off ); + auto\-dnssec ( allow | maintain | off );// deprecated check\-dup\-records ( fail | warn | ignore ); check\-integrity boolean; check\-mx ( fail | warn | ignore ); diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst index 8fc7e1b4f0..346d59813e 100644 --- a/doc/misc/master.zoneopt.rst +++ b/doc/misc/master.zoneopt.rst @@ -20,7 +20,7 @@ also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; alt-transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off ); // deprecated check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); diff --git a/doc/misc/options b/doc/misc/options index f57399499a..0dbcf101e1 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -404,6 +404,7 @@ options { trust-anchor-telemetry ; // experimental try-tcp-refresh ; update-check-ksk ; + update-quota ; use-alt-transfer-source ; use-id-pool ; // ancient use-ixfr ; // obsolete diff --git a/doc/misc/options.active b/doc/misc/options.active index 5fc1ab29f4..eb75a86eae 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -363,6 +363,7 @@ options { trust-anchor-telemetry ; // experimental try-tcp-refresh ; update-check-ksk ; + update-quota ; use-alt-transfer-source ; use-v4-udp-ports { ; ... }; use-v6-udp-ports { ; ... }; diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst index 438072c95c..beef35341a 100644 --- a/doc/misc/options.grammar.rst +++ b/doc/misc/options.grammar.rst @@ -33,7 +33,7 @@ answer-cookie ; attach-cache ; auth-nxdomain ; // default changed - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off ); // deprecated automatic-interface-scan ; avoid-v4-udp-ports { ; ... }; avoid-v6-udp-ports { ; ... }; @@ -300,6 +300,7 @@ trust-anchor-telemetry ; // experimental try-tcp-refresh ; update-check-ksk ; + update-quota ; use-alt-transfer-source ; use-v4-udp-ports { ; ... }; use-v6-udp-ports { ; ... }; diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst index cc72dcbf67..468a7f4d9a 100644 --- a/doc/misc/slave.zoneopt.rst +++ b/doc/misc/slave.zoneopt.rst @@ -21,7 +21,7 @@ also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; alt-transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off ); // deprecated check-names ( fail | warn | ignore ); database ; dialup ( notify | notify-passive | passive | refresh | ); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 45de0196bf..6e63d86816 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1267,6 +1267,7 @@ static cfg_clausedef_t options_clauses[] = { { "transfers-out", &cfg_type_uint32, 0 }, { "transfers-per-ns", &cfg_type_uint32, 0 }, { "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT }, + { "update-quota", &cfg_type_uint32, 0 }, { "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT }, { "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 }, -- 2.39.1