add option to limit the maximum number of cached signatures

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index cff84a2fb5e344125d1a9041f5c00e66ec403af2..e310757540441c0120f13d489773d942b9fcd221 100644 (file)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -148,6 +148,7 @@ void declareArguments()
   ::arg().set("setgid","If set, change group id to this gid for more security")="";
 
   ::arg().set("max-cache-entries", "Maximum number of cache entries")="1000000";
+  ::arg().set("max-signature-cache-entries", "Maximum number of signatures cache entries")="";
   ::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
   ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
 

diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 55b8fd8138dd5e3bae75de8ec72763e2d199a54e..19a459fa0544e9ecc3f16b90b1af3e31aaac6042 100644 (file)
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -26,6 +26,7 @@
 #include "dnsseckeeper.hh"
 #include "dns_random.hh"
 #include "lock.hh"
+#include "arguments.hh"
 
 /* this is where the RRSIGs begin, keys are retrieved,
    but the actual signing happens in fillOutRRSIG */
@@ -148,8 +149,10 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
     WriteLock l(&g_signatures_lock);
     /* we add some jitter here so not all your slaves start pruning their caches at the very same millisecond */
     int weekno = (time(0) - dns_random(3600)) / (86400*7);  // we just spent milliseconds doing a signature, microsecond more won't kill us
+    const static int maxcachesize=::arg().asNum("max-signature-cache-entries", INT_MAX);
   
-    if(g_cacheweekno < weekno) {  // blunt but effective (C) Habbie
+    if(g_cacheweekno < weekno || g_signatures.size() >= (uint) maxcachesize) {  // blunt but effective (C) Habbie, mind04
+      L<<Logger::Warning<<"Cleared signature cache."<<endl;
       g_signatures.clear();
       g_cacheweekno = weekno;
     }

diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml
index 5541c442baa96d6fb1734ffb29887e23be9b6b65..42934587389b5e1ea99acaebaa0fd85071d99856 100644 (file)
--- a/pdns/docs/pdns.xml
+++ b/pdns/docs/pdns.xml
@@ -12830,6 +12830,14 @@ UPDATE records SET auth=1 WHERE auth IS NULL;
             </para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term>max-signature-cache-entries</term>
+          <listitem>
+            <para>
+              Maximum number of signatures cache entries
+            </para>
+          </listitem>
+        </varlistentry>
         <varlistentry>
           <term>local-address-nonexist-fail</term>
           <listitem>

diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index fc767ac65c680ea6d6eb65d3a06afcef52c95ee7..5795a1d938d93d9fabad40612851094947fef307 100644 (file)
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -274,6 +274,11 @@
 #
 # max-queue-length=5000
 
+#################################
+# max-signature-cache-entries  Maximum number of signatures cache entries
+#
+# max-signature-cache-entries=
+
 #################################
 # max-tcp-connections  Maximum number of TCP connections
 #

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 06687b79467eea6e4bef01128cd341b97a377392..17b3f934f6800fa21d90cb4a2bfee97768c29a51 100644 (file)
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -138,6 +138,7 @@ void loadMainConfig(const std::string& configdir)
 
   ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
   ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
+  ::arg().set("max-signature-cache-entries", "Maximum number of signatures cache entries")="";
   ::arg().laxFile(configname.c_str());
 
   BackendMakers().launch(::arg()["launch"]); // vrooooom!