apply max-recursion-queries quota to validator queries

previously, validator queries for DNSKEY and DS records were
not counted toward the quota for max-recursion-queries; they
are now.

(cherry picked from commit af7db89513)

lib/dns/include/dns/validator.h

@@ -144,12 +144,13 @@ struct dns_validator {
 	dns_fixedname_t	      wild;
 	dns_fixedname_t	      closest;
 	ISC_LINK(dns_validator_t) link;
-	bool	      mustbesecure;
-	unsigned int  depth;
-	unsigned int  authcount;
-	unsigned int  authfail;
-	bool	      failed;
-	isc_stdtime_t start;
+	bool	       mustbesecure;
+	unsigned int   depth;
+	unsigned int   authcount;
+	unsigned int   authfail;
+	bool	       failed;
+	isc_stdtime_t  start;
+	isc_counter_t *qc;
 };
 
 /*%
@@ -167,7 +168,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
 		     dns_message_t *message, unsigned int options,
 		     isc_task_t *task, isc_taskaction_t action, void *arg,
-		     dns_validator_t **validatorp);
+		     isc_counter_t *qc, dns_validator_t **validatorp);
 /*%<
  * Start a DNSSEC validation.
  *

lib/dns/resolver.c

@@ -974,7 +974,7 @@ valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo,
 
 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
 				      sigrdataset, message, valoptions, task,
-				      validated, valarg, &validator);
+				      validated, valarg, fctx->qc, &validator);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	if (result == ISC_R_SUCCESS) {
 		inc_stats(fctx->res, dns_resstatscounter_val);

lib/dns/validator.c

@@ -15,6 +15,7 @@
 #include <stdbool.h>
 
 #include <isc/base32.h>
+#include <isc/counter.h>
 #include <isc/md.h>
 #include <isc/mem.h>
 #include <isc/print.h>
@@ -1091,7 +1092,7 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	validator_logcreate(val, name, type, caller, "validator");
 	result = dns_validator_create(val->view, name, type, rdataset, sig,
 				      NULL, vopts, val->task, action, val,
-				      &val->subvalidator);
+				      val->qc, &val->subvalidator);
 	if (result == ISC_R_SUCCESS) {
 		val->subvalidator->parent = val;
 		val->subvalidator->depth = val->depth + 1;
@@ -3152,7 +3153,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
 		     dns_message_t *message, unsigned int options,
 		     isc_task_t *task, isc_taskaction_t action, void *arg,
-		     dns_validator_t **validatorp) {
+		     isc_counter_t *qc, dns_validator_t **validatorp) {
 	isc_result_t result = ISC_R_FAILURE;
 	dns_validator_t *val;
 	isc_task_t *tclone = NULL;
@@ -3193,6 +3194,10 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		goto cleanup;
 	}
 
+	if (qc != NULL) {
+		isc_counter_attach(qc, &val->qc);
+	}
+
 	val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
 	dns_rdataset_init(&val->fdsset);
 	dns_rdataset_init(&val->frdataset);
@@ -3297,6 +3302,9 @@ destroy(dns_validator_t *val) {
 	if (val->siginfo != NULL) {
 		isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
 	}
+	if (val->qc != NULL) {
+		isc_counter_detach(&val->qc);
+	}
 	isc_mutex_destroy(&val->lock);
 	dns_view_weakdetach(&val->view);
 	isc_mem_put(mctx, val, sizeof(*val));