From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Fri, 19 May 2006 14:35:27 +0000 (+0000)
Subject: make RFC 2181 'authoritative zone can lower NS TTL' configurable and off by default... 
X-Git-Tag: rec-3.1.2~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=36cbe5c813581c21a4e2f7d62259ab2f4e2b6b6b;p=pdns

make RFC 2181 'authoritative zone can lower NS TTL' configurable and off by default, as it serves no purpose


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@838 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml
index 22b3b936c..d055275fd 100644
--- a/pdns/docs/pdns.sgml
+++ b/pdns/docs/pdns.sgml
@@ -83,7 +83,7 @@
       </para>
       <sect2 id="changelog-recursor-3-1"><title>Recursor version 3.1 (UNRELEASED)</title>
 	<para>
-	  Unreleased, pre-releases available <ulink url="http://svn.powerdns.com/3.1-pre1">here</ulink>.
+	  Unreleased, pre-releases available <ulink url="http://svn.powerdns.com/3.1-pre2">here</ulink>.
 	</para>
 	<para>
 	  After version 3.0.1 has proved to hold up very well under tremendous loads, 3.1 adds important new features:
@@ -182,6 +182,17 @@
 		The <command>top-remotes</command> would list remotes duplicately, once per source port. Discovered by Jorn Ekkelenkamp, fixed in c827, which is post 3.1-pre1.
 	      </para>
 	    </listitem>
+	    <listitem>
+	      <para>
+		Default <command>allow-from</command> allowed queries from fe80::/16, corrected to fe80::/10. Spotted by Niels Bakker, fixed in c829, which is post 3.1-pre1.
+	      </para>
+	    </listitem>
+	    <listitem>
+	      <para>
+		While PowerDNS blocks failing queries quickly, multiple packets could briefly be in flight for the same domain and nameserver. This situation is now
+		explicitly detected and queries are chained to identical queries already in flight. Fixed in c833 and c834, post 3.1-pre1.
+	      </para>
+	    </listitem>
 	  </itemizedlist>
 	</para>
 	<para>
@@ -215,11 +226,31 @@
 	      <command>::</command> IPv6 address. Lack of feature noted by Marcus 'darix' Rueckert. Fixed in c826, which is post 3.1-pre1.
 	      </para>
 	    </listitem>
-	  <listitem>
+	    <listitem>
 	      <para>
 	      Errors before daemonizing are now also sent to syslog. Suggested by Marcus 'darix' Rueckert. Fixed in c825, which is post 3.1-pre1.
 	      </para>
 	    </listitem>
+	    <listitem>
+	      <para>
+		When launching without any form of configured network connectivity, all root-servers would be cached as 'down' for some time. Detect this special case
+		and treat it as a resource-constraint, which is not accounted against specific nameservers. Spotted by Seth Arnold, fixed in c835, which is post 3.1-pre1.
+	      </para>
+	    </listitem>
+	    <listitem>
+	      <para>
+		The recursor now does not allow authoritative servers to keep supplying its own NS records into perpetuity, which causes problems
+		when a domain is redelegated but the old authorative servers are not updated to this effect. Noticed and explained at length by Darren 
+		Gamble of Shaw Communications, addressed by c837, which is post 3.1-pre2.
+	      </para>
+	    </listitem>
+	    <listitem>
+	      <para>
+		Some operators may want to follow RFC 2181 paragraph 5.2 and 5.4. This harms performance and does not solve any real problem,
+		but does make PowerDNS more compliant. If you want this, enable <command>auth-can-lower-ttl</command>. Implemented in c839, which is
+		post 3.1-pre2.
+	      </para>
+	    </listitem>
 	  </itemizedlist>
 	</para>
       </sect2>
@@ -6228,6 +6259,17 @@ local0.err                        /var/log/pdns.err
 	      </para>
 	    </listitem>
 	  </varlistentry>
+	  <varlistentry>
+	    <term>auth-can-lower-ttl</term>
+	    <listitem>
+	      <para>
+		Authoritative zones can transmit a TTL value that is lower than that specified in the parent zone. This is called a
+		'delegation inconsistency'. To follow RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature. 
+		This will mean a slight deterioration of performance, and it will not solve any problems, but does make
+		the recursor more standards compliant. Not recommended unless you have to tick an 'RFC 2181 compliant' box. Off by default.
+	      </para>
+	    </listitem>
+	  </varlistentry>
 	  <varlistentry>
 	    <term>auth-zones</term>
 	    <listitem>
diff --git a/pdns/docs/pdns_recursor.1.txt b/pdns/docs/pdns_recursor.1.txt
index 7c9c465c9..5b33f6ff2 100644
--- a/pdns/docs/pdns_recursor.1.txt
+++ b/pdns/docs/pdns_recursor.1.txt
@@ -50,6 +50,12 @@ For authoritative listing of options, consult the documentation referenced above
 --allow-from::
 	If set, only allow these comma separated netmasks to recurse
 
+--auth-can-lower-ttl::
+	Authoritative zones can transmit a TTL value that is lower than that specified in the parent zone. This is called a
+	'delegation inconsistency'. To follow RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature. 
+	This will mean a slight deterioration of performance, and it will not solve any problems, but does make
+	the recursor more standards compliant. Not recommended unless you have to tick an 'RFC 2181 compliant' box. Off by default.
+
 --auth-zones::
            Comma separated list of 'zonename=filename' pairs. Zones read from
            these files are served authoritatively. Example: auth-zones=
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index dd9c4717f..47532483f 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1446,7 +1446,8 @@ int serviceMain(int argc, char*argv[])
     ::arg().set("quiet")="no";
     g_quiet=false;
   }
-  
+
+  RC.d_followRFC2181=::arg().mustDo("auth-can-lower-ttl");
   
   if(!::arg()["query-local-address6"].empty()) {
     SyncRes::s_doIPv6=true;
@@ -1655,6 +1656,7 @@ int main(int argc, char **argv)
     ::arg().set("forward-zones", "Zones for which we forward queries, comma separated domain=ip pairs")="";
     ::arg().set("export-etc-hosts", "If we should serve up contents from /etc/hosts")="off";
     ::arg().set("serve-rfc1918", "If we should be authoritative for RFC 1918 private IP space")="";
+    ::arg().set("auth-can-lower-ttl", "If we follow RFC 2181 to the letter, an authoritative server can lower the TTL of NS records")="off";
 
     ::arg().setCmd("help","Provide a helpful message");
     ::arg().setCmd("config","Output blank configuration");
diff --git a/pdns/recursor_cache.cc b/pdns/recursor_cache.cc
index af1b0ec4f..e18f6940c 100644
--- a/pdns/recursor_cache.cc
+++ b/pdns/recursor_cache.cc
@@ -235,7 +235,7 @@ void MemRecursorCache::replace(time_t now, const string &qname, const QType& qt,
 	  /* see http://mailman.powerdns.com/pipermail/pdns-users/2006-May/003413.html */
 	  if(j->d_ttd > now && i->ttl > j->d_ttd && qt.getCode()==QType::NS && auth) // don't allow auth servers to *raise* TTL of an NS record
 	    continue;
-	  if(i->ttl > j->d_ttd || auth) // authoritative packets can override the TTL to be lower
+	  if(i->ttl > j->d_ttd || (auth && d_followRFC2181) ) // authoritative packets can override the TTL to be lower
 	    j->d_ttd=i->ttl;
 	}
       }
diff --git a/pdns/recursor_cache.hh b/pdns/recursor_cache.hh
index e6132fc6b..f4d28c1c5 100644
--- a/pdns/recursor_cache.hh
+++ b/pdns/recursor_cache.hh
@@ -27,7 +27,7 @@ using namespace ::boost::multi_index;
 class MemRecursorCache : public boost::noncopyable //  : public RecursorCache
 {
 public:
-  MemRecursorCache() : d_cachecachevalid(false)
+  MemRecursorCache() : d_followRFC2181(false), d_cachecachevalid(false)
   {}
   unsigned int size();
   unsigned int bytes();
@@ -38,6 +38,7 @@ public:
   void doDumpAndClose(int fd);
   int doWipeCache(const string& name);
   uint64_t cacheHits, cacheMisses;
+  bool d_followRFC2181;
 
 private:
   struct StoredRecord
@@ -111,7 +112,6 @@ private:
                >
   > cache_t;
 
-private:
   cache_t d_cache;
   pair<cache_t::iterator, cache_t::iterator> d_cachecache;
   string d_cachedqname;