4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
(cherry picked from commit ce9f893e21)
3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
These options are not available by default;
use "configure --enable-fetchlimit" (or
--enable-developer) to include them in the build.
See the ARM for details of these options. [RT #37125]
4094. [bug] A race during shutdown or reconfiguration could
cause an assertion in mem.c. [RT #38979]
(cherry picked from commit 2cfe85e6ee33ec97102b6e2e80c86f827bba8594)
(cherry picked from commit 4426003759850ebef210abd2fa339b57ddda3355)
Also enable querytrace when --enable-developer is specified.
(cherry picked from commit 84f95ddb25)
(cherry picked from commit 5ec24730f9)
Conflicts:
config.h.win32
win32utils/Configure
