ANY queries are widely abused by attackers doing reflection attacks as
they return the largest answers. Enable minimal ANY answers by default
to reduce the attack surface of the DNS servers.
Currently we add an rrset-order cyclic statement to the default config.
Since the rrset-order allows matching a subset of all names, it must
be implemented with a string comparison against a wildcard, and since
the statement applies per rrset, this can result in millions of
comparisons per second on a busy authoritative server.
This commit removes rrset-order from the default config, but adds back
a code shim in query_setorder to preserve the previous behaviour.
Two programs need to be able to provide the effective configuration:
named (through a future rndc command) and named-checkconf (though a
future command line switch). In order to calculate the effective
configuration from named-checkconf, the default configuration
needs to be accessible.
The default configuration has now been moved from bin/named/config.c
into a common include directory for binaries: bin/include/defaultconfig.h.
