mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-09 01:30:39 -04:00
c7f79a0353
In order to protect from a malicious DNS client that sends many queries with a SIG(0)-signed message, add a quota of simultaneously running SIG(0) checks. This protection can only help when named is using more than one worker threads. For example, if named is running with the '-n 4' option, and 'sig0checks-quota 2;' is used, then named will make sure to not use more than 2 workers for the SIG(0) signature checks in parallel, thus leaving the other workers to serve the remaining clients which do not use SIG(0)-signed messages. That limitation is going to change when SIG(0) signature checks are offloaded to "slow" threads in a future commit. The 'sig0checks-quota-exempt' ACL option can be used to exempt certain clients from the quota requirements using their IP or network addresses. The 'sig0checks-quota-maxwait-ms' option is used to define a maximum amount of time for named to wait for a quota to appear. If during that time no new quota becomes available, named will answer to the client with DNS_R_REFUSED. |
||
|---|---|---|
| .. | ||
| cfg_test.c | ||
| checkgrammar.py | ||
| dnssec-policy.default.conf | ||
| forward.zoneopt | ||
| hint.zoneopt | ||
| in-view.zoneopt | ||
| Makefile.am | ||
| mirror.zoneopt | ||
| options | ||
| parsegrammar.py | ||
| primary.zoneopt | ||
| redirect.zoneopt | ||
| rndc.grammar | ||
| secondary.zoneopt | ||
| sort-options.pl | ||
| static-stub.zoneopt | ||
| stub.zoneopt | ||