From 7cd4c3ddd1baf5f2b204562fdba3da37c716cc78 Mon Sep 17 00:00:00 2001
From: Andreas Gustafsson <source@isc.org>
Date: Fri, 26 May 2000 23:17:56 +0000
Subject: [PATCH] The 'cache-ttl' and 'ncache-ttl' options now work

---
 CHANGES                      |  2 ++
 bin/named/server.c           | 25 +++++++++++++++++++++++++
 doc/misc/options             |  7 ++++---
 lib/dns/include/dns/ncache.h |  5 +++--
 lib/dns/include/dns/view.h   |  3 +++
 lib/dns/ncache.c             |  4 ++--
 lib/dns/resolver.c           | 23 +++++++++++++++++------
 lib/dns/view.c               |  2 ++
 8 files changed, 58 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index 92cee11e97..f1a7bc3f00 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+ 216.   [func]		The 'cache-ttl' and 'ncache-ttl' options now work.
+
  215.	[bug]		Failures at certain points in request processing
 			could cause the assertion INSIST(client->lockview
 			== NULL) to be triggered.
diff --git a/bin/named/server.c b/bin/named/server.c
index ba2c3feb3f..d5fa726a87 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -627,6 +627,31 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, dns_c_view_t *cview,
 				  dns_c_ctx_gettrustedkeys,
 				  &view->secroots));
 
+	{
+		isc_uint32_t val;
+		result = ISC_R_NOTFOUND;
+		if (cview != NULL)
+			result = dns_c_view_getmaxcachettl(cview, &val);
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getmaxcachettl(cctx, &val);
+		if (result != ISC_R_SUCCESS)
+			val = 30 * 24 * 3600;
+		view->maxcachettl = val;
+	}
+	{
+		isc_uint32_t val;
+		result = ISC_R_NOTFOUND;
+		if (cview != NULL)
+			result = dns_c_view_getmaxncachettl(cview, &val);
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getmaxncachettl(cctx, &val);
+		if (result != ISC_R_SUCCESS)
+			val = 3 * 3600;
+		if (val > 7 * 24 * 3600)
+			val = 7 * 24 * 3600;
+		view->maxncachettl = val;
+	}
+
 	result = ISC_R_SUCCESS;
 
  cleanup:
diff --git a/doc/misc/options b/doc/misc/options
index 50a71675ca..145279f897 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -66,8 +66,8 @@ options {
   [ max-transfer-idle-in number; ]			    Yes*
   [ max-transfer-time-out number; ]			    Yes*
   [ max-transfer-idle-out number; ]			    Yes*
-  [ max-cache-ttl number; ]				    No*
-  [ max-ncache-ttl number; ]				    No
+  [ max-cache-ttl number; ]				    Yes*
+  [ max-ncache-ttl number; ]				    Yes
   [ min-roots number; ]					    No
   [ serial-queries number; ]				    No
   [ transfer-format ( one-answer | many-answers ); ]	    Yes
@@ -195,7 +195,8 @@ view "view_name" [ ( in | hs | hesiod | chaos ) ] {	    Yes*
   [ lame-ttl number; ]					    No
   [ max-transfer-time-out number; ]			    Yes*
   [ max-transfer-idle-out number; ]			    Yes*
-  [ max-ncache-ttl number; ]				    No
+  [ max-cache-ttl number; ]				    Yes*
+  [ max-ncache-ttl number; ]				    Yes
   [ min-roots number; ]					    No
   [ transfer-format ( one-answer | many-answers ); ]	    Yes
   [ transfer-source ip_addr; ]				    Yes
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index 36a5e32a71..668c6f38b2 100644
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -52,11 +52,12 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset);
 /*
  * Convert the authority data from 'message' into a negative cache
- * rdataset, and store it in 'cache' at 'node'.
+ * rdataset, and store it in 'cache' at 'node' with a TTL limited to
+ * 'maxttl'.
  *
  * The 'covers' argument is the RR type whose nonexistence we are caching,
  * or dns_rdatatype_any when caching a NXDOMAIN response.
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index d09b1a8050..f6c5a2ac80 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -102,12 +102,15 @@ struct dns_view {
 	dns_acl_t *			recursionacl;
 	isc_boolean_t			requestixfr;
 	isc_boolean_t			provideixfr;
+	dns_ttl_t			maxcachettl;
+	dns_ttl_t			maxncachettl;
 
 	/*
 	 * Configurable data for server use only,
 	 * locked by server configuration lock.
 	 */
 	dns_acl_t *			matchclients;
+	
 	/* Locked by lock. */
 	unsigned int			references;
 	unsigned int			weakrefs;
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 1833900e39..e371d35dda 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -83,7 +83,7 @@ copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
 
 isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset)
 {
 	isc_result_t result;
@@ -114,7 +114,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	/*
 	 * First, build an ncache rdata in buffer.
 	 */
-	ttl = 0xffffffff;
+	ttl = maxttl;
 	trust = 0xffff;
 	isc_buffer_init(&buffer, data, sizeof(data));
 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 2bb099a6b5..3d4170c6a3 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -260,7 +260,7 @@ static isc_boolean_t fctx_destroy(fetchctx_t *fctx);
 static isc_result_t ncache_adderesult(dns_message_t *message,
 				      dns_db_t *cache, dns_dbnode_t *node,
 				      dns_rdatatype_t covers,
-				      isc_stdtime_t now,
+				      isc_stdtime_t now, dns_ttl_t maxttl,
 				      dns_rdataset_t *ardataset,
 				      isc_result_t *eresultp);
 
@@ -1484,7 +1484,7 @@ static inline void
 possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
 {
 	isc_netaddr_t na;
-	char buf[80];
+	char buf[ISC_NETADDR_FORMATSIZE];
 	isc_sockaddr_t *sa;
 
 	sa = addr->sockaddr;
@@ -2270,7 +2270,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 		
 		result = ncache_adderesult(fctx->rmessage,
 					   fctx->res->view->cachedb, node,
-					   covers, now, ardataset, &eresult);
+					   covers, now,
+					   fctx->res->view->maxncachettl,
+					   ardataset, &eresult);
 		if (result != ISC_R_SUCCESS)
 			goto respond;			
 
@@ -2407,6 +2409,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 		if (!CACHE(rdataset))
 			continue;
+
+		/*
+		 * Enforce the configure maximum cache TTL.
+		 */
+		if (rdataset->ttl > res->view->maxcachettl)
+			rdataset->ttl = res->view->maxcachettl;
+
 		/*
 		 * If this rrset is in a secure domain, do DNSSEC validation
 		 * for it, unless it is glue.
@@ -2618,12 +2627,13 @@ cache_message(fetchctx_t *fctx, isc_stdtime_t now) {
  */
 static isc_result_t
 ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-		  dns_rdatatype_t covers, isc_stdtime_t now,
+		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
 		  dns_rdataset_t *ardataset,
 		  isc_result_t *eresultp)
 {
 	isc_result_t result;
-	result = dns_ncache_add(message, cache, node, covers, now, ardataset);
+	result = dns_ncache_add(message, cache, node, covers, now,
+				maxttl, ardataset);
 	if (result == DNS_R_UNCHANGED) {
 		/*
 		 * The data in the cache is better than the negative cache
@@ -2733,7 +2743,8 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) {
 		goto unlock;
 
 	result = ncache_adderesult(fctx->rmessage, res->view->cachedb, node,
-				   covers, now, ardataset, &eresult);
+				   covers, now, res->view->maxncachettl,
+				   ardataset, &eresult);
 	if (result != ISC_R_SUCCESS)
 		goto unlock;	
 	
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 1acb885296..fc7f0fe463 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -142,6 +142,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->recursionacl = NULL;
 	view->requestixfr = ISC_TRUE;
 	view->provideixfr = ISC_TRUE;
+	view->maxcachettl = 30 * 24 * 3600;
+	view->maxncachettl = 24 * 3600;
 
 	result = dns_peerlist_new(view->mctx, &view->peers);
 	if (result != ISC_R_SUCCESS)