diff --git a/CHANGES b/CHANGES index 0e8e2c9332..9cab2a1c36 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5091. [func] Two new global and per-view options max-cache-ttl + and min-ncache-ttl [GL #613] + 5090. [bug] dig and mdig failed to properly preparse dash value pairs when value was a seperate argument and started with a dash. [GL #584] diff --git a/bin/named/config.c b/bin/named/config.c index 3b15ad2974..039d2632b4 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -174,6 +174,8 @@ options {\n\ max-recursion-queries 75;\n\ max-stale-ttl 604800; /* 1 week */\n\ message-compression yes;\n\ + min-ncache-ttl 0; /* 0 hours */\n\ + min-cache-ttl 0; /* 0 seconds */\n\ # min-roots ;\n\ minimal-any false;\n\ minimal-responses no-auth-recursive;\n\ diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 01dc81be6c..d6aebe76fb 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -337,6 +337,8 @@ options { memstatistics boolean; memstatistics-file quoted_string; message-compression boolean; + min-cache-ttl ttlval; + min-ncache-ttl ttlval; min-refresh-time integer; min-retry-time integer; minimal-any boolean; diff --git a/bin/named/server.c b/bin/named/server.c index ee75c1b3b7..05964c2227 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4117,8 +4117,16 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, result = named_config_get(maps, "max-ncache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxncachettl = cfg_obj_asuint32(obj); - if (view->maxncachettl > 7 * 24 * 3600) - view->maxncachettl = 7 * 24 * 3600; + + obj = NULL; + result = named_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = named_config_get(maps, "min-ncache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->minncachettl = cfg_obj_asuint32(obj); obj = NULL; result = named_config_get(maps, "synth-from-dnssec", &obj); diff --git a/bin/tests/named.conf b/bin/tests/named.conf index 5673e982ca..c9be056e77 100644 --- a/bin/tests/named.conf +++ b/bin/tests/named.conf @@ -46,6 +46,7 @@ options { memstatistics-file "named.memstats"; // _PATH_MEMSTATS max-cache-ttl 999; + min-cache-ttl 66; auth-nxdomain yes; // always set AA on NXDOMAIN. // don't set this to 'no' unless // you know what you're doing -- older @@ -148,6 +149,7 @@ options { min-refresh-time 777; max-ncache-ttl 333; + min-ncache-ttl 22; min-roots 15; serial-queries 34; diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in index 6a4309905f..fcc32539ca 100644 --- a/bin/tests/system/Makefile.in +++ b/bin/tests/system/Makefile.in @@ -69,7 +69,7 @@ PARALLEL = rpzrecurse serve-stale dnssec \ rrchecker rrl rrsetorder rsabigexponent runtime \ sfcache smartsign sortlist \ spf staticstub statistics statschannel stub synthfromdnssec \ - tcp tools tsig tsiggss \ + tcp tools tsig tsiggss ttl \ unknown upforwd verify views wildcard \ xfer xferquota zero zonechecks diff --git a/bin/tests/system/checkconf/bad-maxncachettl.conf b/bin/tests/system/checkconf/bad-maxncachettl-1.conf similarity index 100% rename from bin/tests/system/checkconf/bad-maxncachettl.conf rename to bin/tests/system/checkconf/bad-maxncachettl-1.conf diff --git a/bin/tests/system/checkconf/bad-maxncachettl-2.conf b/bin/tests/system/checkconf/bad-maxncachettl-2.conf new file mode 100644 index 0000000000..e8eae8f186 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxncachettl-2.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view two { + max-ncache-ttl 604801; +}; diff --git a/bin/tests/system/checkconf/bad-maxncachettl-3.conf b/bin/tests/system/checkconf/bad-maxncachettl-3.conf new file mode 100644 index 0000000000..f31c133e26 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxncachettl-3.conf @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view three { + max-ncache-ttl 4000000000; +}; +view four { + max-ncache-ttl -1; +}; diff --git a/bin/tests/system/checkconf/bad-maxncachettl-4.conf b/bin/tests/system/checkconf/bad-maxncachettl-4.conf new file mode 100644 index 0000000000..c220ecd7b3 --- /dev/null +++ b/bin/tests/system/checkconf/bad-maxncachettl-4.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view four { + max-ncache-ttl -1; +}; diff --git a/bin/tests/system/checkconf/bad-mincachettl.conf b/bin/tests/system/checkconf/bad-mincachettl.conf new file mode 100644 index 0000000000..0a1c188461 --- /dev/null +++ b/bin/tests/system/checkconf/bad-mincachettl.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + min-cache-ttl 1x; +}; diff --git a/bin/tests/system/checkconf/bad-minncachettl.conf b/bin/tests/system/checkconf/bad-minncachettl.conf new file mode 100644 index 0000000000..ac2e29b59c --- /dev/null +++ b/bin/tests/system/checkconf/bad-minncachettl.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + min-ncache-ttl 1x; +}; diff --git a/bin/tests/system/checkconf/good-maxncachettl.conf b/bin/tests/system/checkconf/good-maxncachettl.conf index 227da86c34..198f3bd568 100644 --- a/bin/tests/system/checkconf/good-maxncachettl.conf +++ b/bin/tests/system/checkconf/good-maxncachettl.conf @@ -16,7 +16,7 @@ view two { max-ncache-ttl 86400; }; view three { - max-ncache-ttl 4000000000; + max-ncache-ttl 604800; }; view four { max-ncache-ttl 3600s; diff --git a/bin/tests/system/checkconf/good-mincachettl.conf b/bin/tests/system/checkconf/good-mincachettl.conf new file mode 100644 index 0000000000..7afb8d005d --- /dev/null +++ b/bin/tests/system/checkconf/good-mincachettl.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + min-cache-ttl 0; +}; +view two { + min-cache-ttl 30; +}; +view three { + min-cache-ttl 60; +}; +view four { + min-cache-ttl 90s; +}; +view five { + min-cache-ttl 1m; +}; diff --git a/bin/tests/system/checkconf/good-minncachettl.conf b/bin/tests/system/checkconf/good-minncachettl.conf new file mode 100644 index 0000000000..6bfc663f73 --- /dev/null +++ b/bin/tests/system/checkconf/good-minncachettl.conf @@ -0,0 +1,26 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +view one { + min-ncache-ttl 0; +}; +view two { + min-ncache-ttl 30; +}; +view three { + min-ncache-ttl 60; +}; +view four { + min-ncache-ttl 90s; +}; +view five { + min-ncache-ttl 1m; +}; diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 212897e54f..7519e9d9b9 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -15,10 +15,7 @@ # # Find the top of the BIND9 tree. -TOP=${SYSTEMTESTTOP:=.}/../../.. - -# Make it absolute so that it continues to work after we cd. -TOP=`cd $TOP && pwd` +TOP=@abs_top_builddir@ # Default algorithm for testing DEFAULT_ALGORITHM=ECDSAP256SHA256 @@ -105,7 +102,7 @@ PARALLELDIRS="acl additional addzone allow-query auth autosign \ rrchecker rrl rrsetorder rsabigexponent runtime \ serve-stale sfcache smartsign sortlist \ spf staticstub statistics statschannel stub synthfromdnssec \ - tcp tools tsig tsiggss \ + tcp tools tsig tsiggss ttl \ unknown upforwd verify views wildcard \ xfer xferquota zero zonechecks" diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32 index b8010f5430..c791007110 100644 --- a/bin/tests/system/conf.sh.win32 +++ b/bin/tests/system/conf.sh.win32 @@ -100,7 +100,7 @@ SEQUENTIALDIRS="acl additional addzone autosign builtin \ reclimit redirect resolver rndc rpz rrchecker rrl \ rrsetorder rsabigexponent runtime sfcache smartsign sortlist \ spf staticstub statistics statschannel stub tcp tkey tsig \ - tsiggss unknown upforwd verify views wildcard xfer xferquota \ + tsiggss ttl unknown upforwd verify views wildcard xfer xferquota \ zero zonechecks" # List of tests that use unique ports (other than 5300 and 9953). These diff --git a/bin/tests/system/ttl/clean.sh b/bin/tests/system/ttl/clean.sh new file mode 100644 index 0000000000..0f928d6863 --- /dev/null +++ b/bin/tests/system/ttl/clean.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +. ../conf.sh + +rm -f ./dig.out.* +rm -f ./*/named.conf +rm -f ./*/named.memstats +rm -f ./*/named.run +rm -f ./ns*/named.lock +rm -f ./ns*/_default.nzf +rm -f ./ns*/_default.nzd* +rm -f ./ns*/managed-keys.bind* ns*/*.mkeys* diff --git a/bin/tests/system/ttl/ns1/max-example.db b/bin/tests/system/ttl/ns1/max-example.db new file mode 100644 index 0000000000..87efa578c2 --- /dev/null +++ b/bin/tests/system/ttl/ns1/max-example.db @@ -0,0 +1,9 @@ +max-example. 1209600 IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 1209600 ; minimum (2 weeks) + ) +max-example. 1209600 IN NS ns.max-example. +ns.max-example. 1209600 IN A 10.53.0.1 diff --git a/bin/tests/system/ttl/ns1/min-example.db b/bin/tests/system/ttl/ns1/min-example.db new file mode 100644 index 0000000000..da1db00f1b --- /dev/null +++ b/bin/tests/system/ttl/ns1/min-example.db @@ -0,0 +1,9 @@ +min-example. 0 IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 0 ; minimum (0 seconds) + ) +min-example. 0 IN NS ns.min-example. +ns.min-example. 0 IN A 10.53.0.1 diff --git a/bin/tests/system/ttl/ns1/named.conf.in b/bin/tests/system/ttl/ns1/named.conf.in new file mode 100644 index 0000000000..211d9591bb --- /dev/null +++ b/bin/tests/system/ttl/ns1/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + check-integrity no; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "min-example" { + type master; + file "min-example.db"; +}; + +zone "max-example" { + type master; + file "max-example.db"; +}; diff --git a/bin/tests/system/ttl/ns2/hints.db b/bin/tests/system/ttl/ns2/hints.db new file mode 100644 index 0000000000..348fc96c11 --- /dev/null +++ b/bin/tests/system/ttl/ns2/hints.db @@ -0,0 +1,2 @@ +. 60 IN NS ns.nil. +ns.nil. 60 IN A 10.53.0.1 diff --git a/bin/tests/system/ttl/ns2/named.conf.in b/bin/tests/system/ttl/ns2/named.conf.in new file mode 100644 index 0000000000..0762625492 --- /dev/null +++ b/bin/tests/system/ttl/ns2/named.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + directory "."; + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + servfail-ttl 0; + max-recursion-depth 12; + recursion yes; + dnssec-validation no; + min-cache-ttl 60; + min-ncache-ttl 30; + max-cache-ttl 120; + max-ncache-ttl 60; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { type hint; file "hints.db"; }; diff --git a/bin/tests/system/ttl/setup.sh b/bin/tests/system/ttl/setup.sh new file mode 100644 index 0000000000..68fd0d2b81 --- /dev/null +++ b/bin/tests/system/ttl/setup.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +. ../conf.sh + +$SHELL clean.sh +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/ttl/tests.sh b/bin/tests/system/ttl/tests.sh new file mode 100644 index 0000000000..e0a3582b7f --- /dev/null +++ b/bin/tests/system/ttl/tests.sh @@ -0,0 +1,35 @@ +#!/bin/sh + +. ../conf.sh + +dig_with_options() { "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@"; } + +status=0 +t=0 + +echo_i "testing min-cache-ttl" +t=$((t+1)) +dig_with_options IN SOA min-example. @10.53.0.2 > dig.out.${t} +TTL=$(< dig.out.${t} awk '{ print $2; }') +[ "$TTL" -eq 60 ] || status=$((status+1)) + +echo_i "testing min-ncache-ttl" +t=$((t+1)) +dig_with_options IN MX min-example. @10.53.0.2 > dig.out.${t} +TTL=$(< dig.out.${t} awk '{ print $2; }') +[ "$TTL" -eq 30 ] || status=$((status+1)) + +echo_i "testing max-cache-ttl" +t=$((t+1)) +dig_with_options IN SOA max-example. @10.53.0.2 > dig.out.${t} +TTL=$(< dig.out.${t} awk '{ print $2; }') +[ "$TTL" -eq 120 ] || status=$((status+1)) + +echo_i "testing max-ncache-ttl" +t=$((t+1)) +dig_with_options IN MX max-example. @10.53.0.2 > dig.out.${t} +TTL=$(< dig.out.${t} awk '{ print $2; }') +[ "$TTL" -eq 60 ] || status=$((status+1)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 6d50a37cdb..d03dfa1434 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -4311,6 +4311,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] max-ncache-ttl, max-stale-ttl, max-cache-size, and + min-cache-ttl, + min-ncache-ttl, zero-no-soa-ttl. @@ -8995,6 +8997,38 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; + + min-ncache-ttl + + + To reduce network traffic and increase performance, the server + stores negative answers. min-ncache-ttl is + used to set a minimum retention time for these answers in the + server in seconds. For convenience, TTL-style time unit + suffixes may be used to specify the value. The default + min-ncache-ttl is 0 + seconds. min-ncache-ttl cannot exceed 90 + seconds and will be truncated to 90 seconds if set to a + greater value. + + + + + + min-cache-ttl + + + Sets the minimum time for which the server will cache ordinary + (positive) answers in seconds. For convenience, TTL-style time + unit suffixes may be used to specify the value. The default + min-cache-ttl is 0 + seconds. min-cache-ttl cannot exceed 90 + seconds and will be truncated to 90 seconds if set to a + greater value. + + + + max-ncache-ttl diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 6424f21f6f..04e226141a 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -216,6 +216,22 @@ must be only enabled for the systems where FIPS mode is available. + + + Two new configuration options min-cache-ttl and + min-ncache-ttl has been added to allow the BIND 9 + administrator to override the minimum TTL in the received DNS records + (positive caching) and for storing the information about non-existent + records (negative caching). The configured minimum TTL for both + configuration options cannot exceed 90 seconds. + + + + + The configuration option max-ncache-ttl was + silently capped to 7 days, and the upper limit is now enforced. + + diff --git a/doc/misc/options b/doc/misc/options index 441cda28df..02d05afdb5 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -89,9 +89,9 @@ options { bindkeys-file ; blackhole { ; ... }; cache-file ; - catalog-zones { zone [ default-masters [ port - ] [ dscp ] { ( | [ - port ] | [ port ] ) [ key + catalog-zones { zone [ default-masters [ port ] + [ dscp ] { ( | [ port + ] | [ port ] ) [ key ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); @@ -183,7 +183,7 @@ options { fstrm-set-output-queue-model ( mpsc | spsc ); fstrm-set-output-queue-size ; fstrm-set-reopen-interval ; - geoip-directory ( | none ); + geoip-directory ( | none ); // not configured geoip-use-ecs ; // obsolete glue-cache ; has-old-clients ; // obsolete @@ -234,6 +234,8 @@ options { memstatistics ; memstatistics-file ; message-compression ; + min-cache-ttl ; + min-ncache-ttl ; min-refresh-time ; min-retry-time ; min-roots ; // not implemented @@ -305,18 +307,17 @@ options { resolver-retry-interval ; response-padding { ; ... } block-size ; - response-policy { zone [ log ] [ - max-policy-ttl ] [ min-update-interval ] [ - policy ( cname | disabled | drop | given | no-op | nodata | - nxdomain | passthru | tcp-only ) ] [ - recursive-only ] [ nsip-enable ] [ - nsdname-enable ]; ... } [ break-dnssec ] [ - max-policy-ttl ] [ min-update-interval ] [ - min-ns-dots ] [ nsip-wait-recurse ] [ - qname-wait-recurse ] [ recursive-only ] [ - nsip-enable ] [ nsdname-enable ] [ - dnsrps-enable ] [ dnsrps-options { - } ]; + response-policy { zone [ log ] [ max-policy-ttl + ] [ min-update-interval ] [ policy ( cname | + disabled | drop | given | no-op | nodata | nxdomain | passthru + | tcp-only ) ] [ recursive-only ] [ + nsip-enable ] [ nsdname-enable ]; ... } [ + break-dnssec ] [ max-policy-ttl ] [ + min-update-interval ] [ min-ns-dots ] [ + nsip-wait-recurse ] [ qname-wait-recurse ] + [ recursive-only ] [ nsip-enable ] [ + nsdname-enable ] [ dnsrps-enable ] [ + dnsrps-options { } ]; rfc2308-type1 ; // not yet implemented root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; @@ -457,9 +458,9 @@ view [ ] { auth-nxdomain ; // default changed auto-dnssec ( allow | maintain | off ); cache-file ; - catalog-zones { zone [ default-masters [ port - ] [ dscp ] { ( | [ - port ] | [ port ] ) [ key + catalog-zones { zone [ default-masters [ port ] + [ dscp ] { ( | [ port + ] | [ port ] ) [ key ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); @@ -574,6 +575,8 @@ view [ ] { max-udp-size ; max-zone-ttl ( unlimited | ); message-compression ; + min-cache-ttl ; + min-ncache-ttl ; min-refresh-time ; min-retry-time ; min-roots ; // not implemented @@ -635,18 +638,17 @@ view [ ] { resolver-retry-interval ; response-padding { ; ... } block-size ; - response-policy { zone [ log ] [ - max-policy-ttl ] [ min-update-interval ] [ - policy ( cname | disabled | drop | given | no-op | nodata | - nxdomain | passthru | tcp-only ) ] [ - recursive-only ] [ nsip-enable ] [ - nsdname-enable ]; ... } [ break-dnssec ] [ - max-policy-ttl ] [ min-update-interval ] [ - min-ns-dots ] [ nsip-wait-recurse ] [ - qname-wait-recurse ] [ recursive-only ] [ - nsip-enable ] [ nsdname-enable ] [ - dnsrps-enable ] [ dnsrps-options { - } ]; + response-policy { zone [ log ] [ max-policy-ttl + ] [ min-update-interval ] [ policy ( cname | + disabled | drop | given | no-op | nodata | nxdomain | passthru + | tcp-only ) ] [ recursive-only ] [ + nsip-enable ] [ nsdname-enable ]; ... } [ + break-dnssec ] [ max-policy-ttl ] [ + min-update-interval ] [ min-ns-dots ] [ + nsip-wait-recurse ] [ qname-wait-recurse ] + [ recursive-only ] [ nsip-enable ] [ + nsdname-enable ] [ dnsrps-enable ] [ + dnsrps-options { } ]; rfc2308-type1 ; // not yet implemented root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index cdbc7270e4..b3098938a6 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -954,15 +954,25 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, uint32_t lifetime = 3600; const char *ccalg = "aes"; + /* + * { "name", scale, value } + * (scale * value) <= UINT32_MAX + */ static intervaltable intervals[] = { - { "cleaning-interval", 60, 28 * 24 * 60 }, /* 28 days */ - { "heartbeat-interval", 60, 28 * 24 * 60 }, /* 28 days */ - { "interface-interval", 60, 28 * 24 * 60 }, /* 28 days */ - { "max-transfer-idle-in", 60, 28 * 24 * 60 }, /* 28 days */ - { "max-transfer-idle-out", 60, 28 * 24 * 60 }, /* 28 days */ - { "max-transfer-time-in", 60, 28 * 24 * 60 }, /* 28 days */ - { "max-transfer-time-out", 60, 28 * 24 * 60 }, /* 28 days */ - { "statistics-interval", 60, 28 * 24 * 60 }, /* 28 days */ + { "cleaning-interval", 60, 28 * 24 * 60 }, /* 28 days */ + { "heartbeat-interval", 60, 28 * 24 * 60 }, /* 28 days */ + { "interface-interval", 60, 28 * 24 * 60 }, /* 28 days */ + { "max-transfer-idle-in", 60, 28 * 24 * 60 }, /* 28 days */ + { "max-transfer-idle-out", 60, 28 * 24 * 60 }, /* 28 days */ + { "max-transfer-time-in", 60, 28 * 24 * 60 }, /* 28 days */ + { "max-transfer-time-out", 60, 28 * 24 * 60 }, /* 28 days */ + { "statistics-interval", 60, 28 * 24 * 60 }, /* 28 days */ + + /* minimum and maximum cache and negative cache TTLs */ + { "min-cache-ttl", 1, MAX_MIN_CACHE_TTL }, /* 90 secs */ + { "max-cache-ttl", 1, UINT32_MAX }, /* no limit */ + { "min-ncache-ttl", 1, MAX_MIN_NCACHE_TTL}, /* 90 secs */ + { "max-ncache-ttl", 1, MAX_MAX_NCACHE_TTL }, /* 7 days */ }; static const char *server_contact[] = { diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h index f796e268ed..92d4bdda71 100644 --- a/lib/bind9/include/bind9/check.h +++ b/lib/bind9/include/bind9/check.h @@ -20,6 +20,18 @@ #include +#ifndef MAX_MIN_CACHE_TTL +#define MAX_MIN_CACHE_TTL 90 +#endif /* MAX_MIN_CACHE_TTL */ + +#ifndef MAX_MIN_NCACHE_TTL +#define MAX_MIN_NCACHE_TTL 90 +#endif /* MAX_MIN_NCACHE_TTL */ + +#ifndef MAX_MAX_NCACHE_TTL +#define MAX_MAX_NCACHE_TTL 7 * 24 * 3600 +#endif /* MAX_MAX_NCACHE_TTL */ + ISC_LANG_BEGINDECLS isc_result_t diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h index 2942c26e97..c2e1e7be53 100644 --- a/lib/dns/include/dns/ncache.h +++ b/lib/dns/include/dns/ncache.h @@ -56,12 +56,14 @@ ISC_LANG_BEGINDECLS isc_result_t dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, + dns_ttl_t minttl, dns_ttl_t maxttl, dns_rdataset_t *addedrdataset); isc_result_t dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, + dns_ttl_t minttl, dns_ttl_t maxttl, bool optout, dns_rdataset_t *addedrdataset); /*%< * Convert the authority data from 'message' into a negative cache diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index c8c7f25536..ad626593c0 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -154,6 +154,8 @@ struct dns_view { bool sendcookie; dns_ttl_t maxcachettl; dns_ttl_t maxncachettl; + dns_ttl_t mincachettl; + dns_ttl_t minncachettl; uint32_t nta_lifetime; uint32_t nta_recheck; char *nta_file; diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c index 79bb5f1b76..1f060a4abc 100644 --- a/lib/dns/ncache.c +++ b/lib/dns/ncache.c @@ -45,7 +45,8 @@ static isc_result_t addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, + dns_ttl_t minttl, dns_ttl_t maxttl, bool optout, bool secure, dns_rdataset_t *addedrdataset); @@ -95,26 +96,29 @@ copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) { isc_result_t dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, + dns_ttl_t minttl, dns_ttl_t maxttl, dns_rdataset_t *addedrdataset) { - return (addoptout(message, cache, node, covers, now, maxttl, + return (addoptout(message, cache, node, covers, now, minttl, maxttl, false, false, addedrdataset)); } isc_result_t dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, + dns_ttl_t minttl, dns_ttl_t maxttl, bool optout, dns_rdataset_t *addedrdataset) { - return (addoptout(message, cache, node, covers, now, maxttl, + return (addoptout(message, cache, node, covers, now, minttl, maxttl, optout, true, addedrdataset)); } static isc_result_t addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, + dns_ttl_t minttl, dns_ttl_t maxttl, bool optout, bool secure, dns_rdataset_t *addedrdataset) { @@ -179,10 +183,15 @@ addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, if (type == dns_rdatatype_soa || type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3) { - if (ttl > rdataset->ttl) + if (ttl > rdataset->ttl) { ttl = rdataset->ttl; - if (trust > rdataset->trust) + } + if (ttl < minttl) { + ttl = minttl; + } + if (trust > rdataset->trust) { trust = rdataset->trust; + } /* * Copy the owner name to the buffer. */ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 7ecd6ffbe9..c3f9b39c25 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -592,7 +592,9 @@ static bool fctx_unlink(fetchctx_t *fctx); static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, + dns_ttl_t minttl, + dns_ttl_t maxttl, bool optout, bool secure, dns_rdataset_t *ardataset, @@ -5464,8 +5466,10 @@ validated(isc_task_t *task, isc_event_t *event) { ttl = 0; result = ncache_adderesult(fctx->rmessage, fctx->cache, node, - covers, now, ttl, vevent->optout, - vevent->secure, ardataset, &eresult); + covers, now, + fctx->res->view->minncachettl, ttl, + vevent->optout, vevent->secure, + ardataset, &eresult); if (result != ISC_R_SUCCESS) goto noanswer_response; goto answer_response; @@ -5958,6 +5962,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, rdataset->ttl = res->view->maxcachettl; } + /* + * Enforce configured minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) { + rdataset->ttl = res->view->mincachettl; + } + /* * Mark the rdataset as being prefetch eligible. */ @@ -6346,7 +6357,8 @@ cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now) */ static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, + dns_ttl_t minttl, dns_ttl_t maxttl, bool optout, bool secure, dns_rdataset_t *ardataset, isc_result_t *eresultp) { @@ -6359,10 +6371,10 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, } if (secure) result = dns_ncache_addoptout(message, cache, node, covers, - now, maxttl, optout, ardataset); + now, minttl, maxttl, optout, ardataset); else result = dns_ncache_add(message, cache, node, covers, now, - maxttl, ardataset); + minttl, maxttl, ardataset); if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* * If the cache now contains a negative entry and we @@ -6537,8 +6549,9 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, ttl = 0; result = ncache_adderesult(fctx->rmessage, fctx->cache, node, - covers, now, ttl, false, - false, ardataset, &eresult); + covers, now, + fctx->res->view->minncachettl, ttl, + false, false, ardataset, &eresult); if (result != ISC_R_SUCCESS) goto unlock; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 7467b6af39..15ab4e580b 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1929,6 +1929,8 @@ view_clauses[] = { { "max-stale-ttl", &cfg_type_ttlval, 0 }, { "max-udp-size", &cfg_type_uint32, 0 }, { "message-compression", &cfg_type_boolean, 0 }, + { "min-cache-ttl", &cfg_type_ttlval, 0 }, + { "min-ncache-ttl", &cfg_type_ttlval, 0 }, { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP }, { "minimal-any", &cfg_type_boolean, 0 }, { "minimal-responses", &cfg_type_minimal, 0 }, diff --git a/util/copyrights b/util/copyrights index 2e7b79a6f3..14bdcaba53 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1089,6 +1089,14 @@ ./bin/tests/system/tsiggss/prereq.sh SH 2010,2011,2012,2014,2016,2018 ./bin/tests/system/tsiggss/setup.sh SH 2010,2011,2012,2014,2016,2017,2018 ./bin/tests/system/tsiggss/tests.sh SH 2010,2011,2014,2016,2017,2018 +./bin/tests/system/ttl/clean.sh X 2018 +./bin/tests/system/ttl/ns1/max-example.db X 2018 +./bin/tests/system/ttl/ns1/min-example.db X 2018 +./bin/tests/system/ttl/ns1/named.conf.in X 2018 +./bin/tests/system/ttl/ns2/hints.db X 2018 +./bin/tests/system/ttl/ns2/named.conf.in X 2018 +./bin/tests/system/ttl/setup.sh X 2018 +./bin/tests/system/ttl/tests.sh X 2018 ./bin/tests/system/unknown/clean.sh SH 2000,2001,2004,2007,2012,2013,2014,2015,2016,2018 ./bin/tests/system/unknown/large.out X 2012,2018 ./bin/tests/system/unknown/ns3/sign.sh SH 2012,2014,2016,2017,2018