Adjust default value of "max-recursion-queries"

Since the queries sent towards root and TLD servers are now included in the count (as a result of the fix for CVE-2020-8616), "max-recursion-queries" has a higher chance of being exceeded by non-attack queries. Increase its default value from 75 to 100. (cherry picked from commit ab0bf49203)
2026-02-26 19:41:04 -05:00 · 2020-11-26 15:59:14 +11:00 · 2020-11-26 15:59:14 +11:00 · 5c10b5a4e8
commit 5c10b5a4e8
parent c4178b7d8d
5 changed files with 12 additions and 3 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
+			100. [GL #2305]
+
 5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
 			[GL #2315]

--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -168,7 +168,7 @@ options {\n\
 	max-clients-per-query 100;\n\
 	max-ncache-ttl 10800; /* 3 hours */\n\
 	max-recursion-depth 7;\n\
-	max-recursion-queries 75;\n\
+	max-recursion-queries 100;\n\
 	max-stale-ttl 43200; /* 12 hours */\n\
 	message-compression yes;\n\
 	min-ncache-ttl 0; /* 0 hours */\n\
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -3500,7 +3500,7 @@ Tuning
 ``max-recursion-queries``
   This sets the maximum number of iterative queries that may be sent while
   servicing a recursive query. If more queries are sent, the recursive
-   query is terminated and returns SERVFAIL. The default is 75.
+   query is terminated and returns SERVFAIL. The default is 100.

 ``notify-delay``
   This sets the delay, in seconds, between sending sets of notify messages for a
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -40,6 +40,12 @@ Feature Changes
  configuration. A new option 'nsec3param' can be used to set the desired
  NSEC3 parameters, and will detect collisions when resalting. [GL #1620].

+- Adjust the ``max-recursion-queries`` default from 75 to 100. Since the
+  queries sent towards root and TLD servers are now included in the
+  count (as a result of the fix for CVE-2020-8616), ``max-recursion-queries``
+  has a higher chance of being exceeded by non-attack queries, which is the
+  main reason for increasing its default value. [GL #2305]
+
 Bug Fixes
 ~~~~~~~~~

--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -181,7 +181,7 @@

 /* The default maximum number of iterative queries to allow before giving up. */
 #ifndef DEFAULT_MAX_QUERIES
-#define DEFAULT_MAX_QUERIES 75
+#define DEFAULT_MAX_QUERIES 100
 #endif /* ifndef DEFAULT_MAX_QUERIES */

 /*