From a11367ade3f4ebd314c31a1ef45965e3859b5095 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 25 Jun 2024 14:39:58 -0700
Subject: [PATCH] reduce the max-recursion-queries default to 32

the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.

(cherry picked from commit 7e3b425dc283df66df9c46002307ab676e10e4fd)
---
 bin/named/config.c                           | 2 +-
 bin/tests/system/reclimit/ns3/named1.conf.in | 1 +
 bin/tests/system/resolver/ns1/named.conf.in  | 1 +
 doc/arm/reference.rst                        | 9 ++++++---
 lib/dns/resolver.c                           | 2 +-
 5 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/bin/named/config.c b/bin/named/config.c
index 47549c54f8..3640f714ac 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -174,7 +174,7 @@ options {\n\
 	max-clients-per-query 100;\n\
 	max-ncache-ttl 10800; /* 3 hours */\n\
 	max-recursion-depth 7;\n\
-	max-recursion-queries 100;\n\
+	max-recursion-queries 32;\n\
 	max-stale-ttl 86400; /* 1 day */\n\
 	message-compression yes;\n\
 	min-ncache-ttl 0; /* 0 hours */\n\
diff --git a/bin/tests/system/reclimit/ns3/named1.conf.in b/bin/tests/system/reclimit/ns3/named1.conf.in
index 58b5d02514..36e5888f02 100644
--- a/bin/tests/system/reclimit/ns3/named1.conf.in
+++ b/bin/tests/system/reclimit/ns3/named1.conf.in
@@ -22,6 +22,7 @@ options {
 	listen-on-v6 { none; };
 	servfail-ttl 0;
 	qname-minimization disabled;
+	max-recursion-queries 50;
 	max-recursion-depth 12;
 	recursion yes;
 	dnssec-validation yes;
diff --git a/bin/tests/system/resolver/ns1/named.conf.in b/bin/tests/system/resolver/ns1/named.conf.in
index f0f9571209..31321ad729 100644
--- a/bin/tests/system/resolver/ns1/named.conf.in
+++ b/bin/tests/system/resolver/ns1/named.conf.in
@@ -29,6 +29,7 @@ options {
 	allow-query {!10.53.0.8; any; };
 	max-zone-ttl unlimited;
 	attach-cache "globalcache";
+	max-recursion-queries 50;
 };
 
 server 10.53.0.3 {
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index a075e29bef..23422d1ba5 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4690,9 +4690,12 @@ Tuning
    :tags: server, query
    :short: Sets the maximum number of iterative queries while servicing a recursive query.
 
-   This sets the maximum number of iterative queries that may be sent while
-   servicing a recursive query. If more queries are sent, the recursive
-   query is terminated and returns SERVFAIL. The default is 100.
+   This sets the maximum number of iterative queries that may be sent
+   by a resolver while looking up a single name. If more queries than this
+   need to be sent before an answer is reached, then recursion is terminated
+   and a SERVFAIL response is returned to the client. (Note: if the answer
+   is a CNAME, then the subsequent lookup for the target of the CNAME is
+   counted separately.) The default is 32.
 
 .. namedconf:statement:: notify-delay
    :tags: transfer, zone
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index cdb3c6e785..f8f53d2650 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -199,7 +199,7 @@
 
 /* The default maximum number of iterative queries to allow before giving up. */
 #ifndef DEFAULT_MAX_QUERIES
-#define DEFAULT_MAX_QUERIES 100
+#define DEFAULT_MAX_QUERIES 50
 #endif /* ifndef DEFAULT_MAX_QUERIES */
 
 /*