Mark Andrews <ma...@isc.org> writes: > The [func] below are bug fixes / security fixes.
Umh, using a very relaxed definition maybe... I was very happy to see this feature added in 9.9.8, and I can certainly agree that it is security related. But I hardly think it is suitable for the strict "no new features" policy that many stable distros enforce: > +3938. [func] Added quotas to be used in recursive resolvers > + that are under high query load for names in zones > + whose authoritative servers are nonresponsive or > + are experiencing a denial of service attack. > + > + - "fetches-per-server" limits the number of > + simultaneous queries that can be sent to any > + single authoritative server. The configured > + value is a starting point; it is automatically > + adjusted downward if the server is partially or > + completely non-responsive. The algorithm used to > + adjust the quota can be configured via the > + "fetch-quota-params" option. > + - "fetches-per-zone" limits the number of > + simultaneous queries that can be sent for names > + within a single domain. (Note: Unlike > + "fetches-per-server", this value is not > + self-tuning.) > + - New stats counters have been added to count > + queries spilled due to these quotas. > + > + These options are not available by default; > + use "configure --enable-fetchlimit" (or > + --enable-developer) to include them in the build. > + > + See the ARM for details of these options. [RT #37125] Yes, I know they could still upgrade to 9.9.8 without this particular feature, by simply not enabling it in the build. But the restricted feature set policy tends to be applied on a source level. Playing the devil's advocate here... As I said, I was really happy to see this feature in 9.9.8 myself. Bjørn
