Two diffs for the price of one!
1) From upcomming nsd 4.1.22:
refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
and allows TCP queries like normal.
2) turn on minimal-reponses and refuse-any per default
I think these are better / sane defaults.
I take OKs for both or for the first one if there are objections to
changing defaults from upstream.
diff --git nsd.conf.5.in nsd.conf.5.in
index bdac602efb8..78215a9c891 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -380,7 +380,8 @@ The default is no.
.B refuse\-any:\fR <yes or no>
Refuse queries of type ANY. This is useful to stop query floods trying
to get large responses. Note that rrl ratelimiting also has type ANY as
-a ratelimiting type.
+a ratelimiting type. It sends truncation in response to UDP type ANY queries,
+and it allows TCP type ANY queries like normal.
The default is no.
.TP
.B zonefiles\-check:\fR <yes or no>
diff --git query.c query.c
index 29cf9f45562..48261d87404 100644
--- query.c
+++ query.c
@@ -1490,8 +1490,10 @@ query_process(query_type *q, nsd_type *nsd)
if (query_state == QUERY_PROCESSED || query_state == QUERY_IN_AXFR) {
return query_state;
}
- if(q->qtype == TYPE_ANY && nsd->options->refuse_any)
- return query_error(q, NSD_RC_REFUSE);
+ if(q->qtype == TYPE_ANY && nsd->options->refuse_any && !q->tcp) {
+ TC_SET(q->packet);
+ return query_error(q, NSD_RC_OK);
+ }
answer_query(nsd, q);
------------------------------------------------------------------------
diff --git nsd.conf.5.in nsd.conf.5.in
index 78215a9c891..33044879f08 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -375,14 +375,14 @@ Extra data is only added for referrals, when it is really
necessary.
This is different from the \-\-enable-minimal-responses configure time option,
that reduces packets, but exactly to the fragmentation length, the nsd.conf
option reduces packets as small as possible.
-The default is no.
+The default is yes.
.TP
.B refuse\-any:\fR <yes or no>
Refuse queries of type ANY. This is useful to stop query floods trying
to get large responses. Note that rrl ratelimiting also has type ANY as
a ratelimiting type. It sends truncation in response to UDP type ANY queries,
and it allows TCP type ANY queries like normal.
-The default is no.
+The default is yes.
.TP
.B zonefiles\-check:\fR <yes or no>
Make NSD check the mtime of zone files on start and sighup. If you
diff --git options.c options.c
index d0bed6a9b94..a74218b345c 100644
--- options.c
+++ options.c
@@ -64,8 +64,8 @@ nsd_options_create(region_type* region)
opt->logfile = 0;
opt->log_time_ascii = 1;
opt->round_robin = 0; /* also packet.h::round_robin */
- opt->minimal_responses = 0; /* also packet.h::minimal_responses */
- opt->refuse_any = 0;
+ opt->minimal_responses = 1; /* also packet.h::minimal_responses */
+ opt->refuse_any = 1;
opt->server_count = 1;
opt->tcp_count = 100;
opt->tcp_query_count = 0;
--
I'm not entirely sure you are real.
