mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
1bedd7f244
Add a hard limit on the number of addresses that ADB returns from a single NS lookup (dns_adbfind_t). This mitigates a flood attack where an attacker controls a zone with many addresses for a nameserver, each returning an invalid response. The global max-query count (default 50) also limits this, but significant harm can be done before that limit is reached. The default limit is now 6 (v4 and/or v6) addresses for an ADB find (so, ADB looking up for A/AAAA addresses of a name server name). It can be overridden for testing via 'named -T adbaddrslimit=N'. (cherry picked from commit 3ec37fc69356ee682bee7f67940613ac31d93d7b) |
||
|---|---|---|
| .. | ||
| check | ||
| confgen | ||
| delv | ||
| dig | ||
| dnssec | ||
| named | ||
| nsupdate | ||
| plugins | ||
| rndc | ||
| tests | ||
| tools | ||
| Makefile.am | ||