Two diffs for the price of one!

1) From upcomming nsd 4.1.22:
   refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
   and allows TCP queries like normal.

2) turn on minimal-reponses and refuse-any per default

I think these are better / sane defaults.

I take OKs for both or for the first one if there are objections to
changing defaults from upstream.

diff --git nsd.conf.5.in nsd.conf.5.in
index bdac602efb8..78215a9c891 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -380,7 +380,8 @@ The default is no.
 .B refuse\-any:\fR <yes or no>
 Refuse queries of type ANY.  This is useful to stop query floods trying
 to get large responses.  Note that rrl ratelimiting also has type ANY as
-a ratelimiting type.
+a ratelimiting type.  It sends truncation in response to UDP type ANY queries,
+and it allows TCP type ANY queries like normal.
 The default is no.
 .TP
 .B zonefiles\-check:\fR <yes or no>
diff --git query.c query.c
index 29cf9f45562..48261d87404 100644
--- query.c
+++ query.c
@@ -1490,8 +1490,10 @@ query_process(query_type *q, nsd_type *nsd)
        if (query_state == QUERY_PROCESSED || query_state == QUERY_IN_AXFR) {
                return query_state;
        }
-       if(q->qtype == TYPE_ANY && nsd->options->refuse_any)
-               return query_error(q, NSD_RC_REFUSE);
+       if(q->qtype == TYPE_ANY && nsd->options->refuse_any && !q->tcp) {
+               TC_SET(q->packet);
+               return query_error(q, NSD_RC_OK);
+       }
 
        answer_query(nsd, q);
 

------------------------------------------------------------------------

diff --git nsd.conf.5.in nsd.conf.5.in
index 78215a9c891..33044879f08 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -375,14 +375,14 @@ Extra data is only added for referrals, when it is really 
necessary.
 This is different from the \-\-enable-minimal-responses configure time option,
 that reduces packets, but exactly to the fragmentation length, the nsd.conf
 option reduces packets as small as possible.
-The default is no.
+The default is yes.
 .TP
 .B refuse\-any:\fR <yes or no>
 Refuse queries of type ANY.  This is useful to stop query floods trying
 to get large responses.  Note that rrl ratelimiting also has type ANY as
 a ratelimiting type.  It sends truncation in response to UDP type ANY queries,
 and it allows TCP type ANY queries like normal.
-The default is no.
+The default is yes.
 .TP
 .B zonefiles\-check:\fR <yes or no>
 Make NSD check the mtime of zone files on start and sighup.  If you
diff --git options.c options.c
index d0bed6a9b94..a74218b345c 100644
--- options.c
+++ options.c
@@ -64,8 +64,8 @@ nsd_options_create(region_type* region)
        opt->logfile = 0;
        opt->log_time_ascii = 1;
        opt->round_robin = 0; /* also packet.h::round_robin */
-       opt->minimal_responses = 0; /* also packet.h::minimal_responses */
-       opt->refuse_any = 0;
+       opt->minimal_responses = 1; /* also packet.h::minimal_responses */
+       opt->refuse_any = 1;
        opt->server_count = 1;
        opt->tcp_count = 100;
        opt->tcp_query_count = 0;



-- 
I'm not entirely sure you are real.

Reply via email to