commit 00f12c3365fbb1f8a185a9972734c6bf225e7c0d Author: wouter Date: Tue Apr 27 14:15:19 2010 +0000 Fix harden-referral-path so it does not generate lookup failures. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index fbe3748..16a607c 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -456,6 +456,8 @@ path to the answer. Default off, because it burdens the authority servers, and it is not RFC standard, and could lead to performance problems because of the extra query load that is generated. Experimental option. +If you enable it consider adding more numbers after the target\-fetch\-policy +to increase the max depth that is checked to. .TP .B use\-caps\-for\-id: \fI Use 0x20\-encoded random bits in the query to foil spoof attempts. diff --git a/iterator/iterator.c b/iterator/iterator.c index 08354e8..19b9a26 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -695,12 +695,15 @@ static void generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq, int id) { + struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id]; struct module_qstate* subq; size_t i; struct reply_info* rep = iq->response->rep; struct ub_packed_rrset_key* s; log_assert(iq->dp); + if(iq->depth == ie->max_dependency_depth) + return; /* walk through additional, and check if in-zone, * only relevant A, AAAA are left after scrub anyway */ for(i=rep->an_numrrsets+rep->ns_numrrsets; irrset_count; i++) { @@ -746,9 +749,12 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq, static void generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id) { + struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id]; struct module_qstate* subq; log_assert(iq->dp); + if(iq->depth == ie->max_dependency_depth) + return; /* is this query the same as the nscheck? */ if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS && query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&