mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-09 17:50:52 -04:00
c7f79a0353
In order to protect from a malicious DNS client that sends many queries with a SIG(0)-signed message, add a quota of simultaneously running SIG(0) checks. This protection can only help when named is using more than one worker threads. For example, if named is running with the '-n 4' option, and 'sig0checks-quota 2;' is used, then named will make sure to not use more than 2 workers for the SIG(0) signature checks in parallel, thus leaving the other workers to serve the remaining clients which do not use SIG(0)-signed messages. That limitation is going to change when SIG(0) signature checks are offloaded to "slow" threads in a future commit. The 'sig0checks-quota-exempt' ACL option can be used to exempt certain clients from the quota requirements using their IP or network addresses. The 'sig0checks-quota-maxwait-ms' option is used to define a maximum amount of time for named to wait for a quota to appear. If during that time no new quota becomes available, named will answer to the client with DNS_R_REFUSED. |
||
|---|---|---|
| .. | ||
| check | ||
| confgen | ||
| delv | ||
| dig | ||
| dnssec | ||
| named | ||
| nsupdate | ||
| plugins | ||
| rndc | ||
| tests | ||
| tools | ||
| Makefile.am | ||