From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 21 Feb 2018 11:52:54 +0000 (+0100)
Subject: rec: Implement settable AXFR timeout for RPZ
X-Git-Tag: dnsdist-1.3.0~83^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ea448a77fd2c664893e961b21d26408879e20360;p=pdns

rec: Implement settable AXFR timeout for RPZ
---

diff --git a/pdns/rec-lua-conf.cc b/pdns/rec-lua-conf.cc
index 882ae4efe..e42ce1f4b 100644
--- a/pdns/rec-lua-conf.cc
+++ b/pdns/rec-lua-conf.cc
@@ -141,6 +141,7 @@ void loadRecursorLuaConfig(const std::string& fname, bool checkOnly)
       TSIGTriplet tt;
       uint32_t refresh=0;
       size_t maxReceivedXFRMBytes = 0;
+      uint16_t axfrTimeout = 20;
       uint32_t maxTTL = std::numeric_limits<uint32_t>::max();
       ComboAddress localAddress;
       ComboAddress master(master_, 53);
@@ -170,6 +171,9 @@ void loadRecursorLuaConfig(const std::string& fname, bool checkOnly)
           if(have.count("localAddress")) {
             localAddress = ComboAddress(boost::get<string>(constGet(have,"localAddress")));
           }
+          if(have.count("axfrTimeout")) {
+            axfrTimeout = static_cast<uint16_t>(boost::get<uint32_t>(constGet(have, "axfrTimeout")));
+          }
         }
         if (localAddress != ComboAddress() && localAddress.sin4.sin_family != master.sin4.sin_family) {
           // We were passed a localAddress, check if its AF matches the master's
@@ -192,7 +196,7 @@ void loadRecursorLuaConfig(const std::string& fname, bool checkOnly)
 
       try {
           if (!checkOnly) {
-            std::thread t(RPZIXFRTracker, master, defpol, maxTTL, zoneIdx, tt, maxReceivedXFRMBytes * 1024 * 1024, localAddress, zone);
+            std::thread t(RPZIXFRTracker, master, defpol, maxTTL, zoneIdx, tt, maxReceivedXFRMBytes * 1024 * 1024, localAddress, zone, axfrTimeout);
             t.detach();
           }
       }
diff --git a/pdns/recursordist/docs/lua-config/rpz.rst b/pdns/recursordist/docs/lua-config/rpz.rst
index b41c2d491..630730c54 100644
--- a/pdns/recursordist/docs/lua-config/rpz.rst
+++ b/pdns/recursordist/docs/lua-config/rpz.rst
@@ -104,6 +104,14 @@ localAddress
 The source IP address to use when transferring the RPZ.
 When unset, :ref:`setting-query-local-address` and :ref:`setting-query-local-address6` are used.
 
+axfrTimeout
+^^^^^^^^^^^
+.. versionadded:: 4.1.2
+  Before 4.1.2, the timeout was fixed on 10 seconds.
+
+The timeout in seconds of the total initial AXFR transaction.
+20 by default.
+
 Policy Actions
 --------------
 
diff --git a/pdns/reczones.cc b/pdns/reczones.cc
index b4c84a95f..50e489efc 100644
--- a/pdns/reczones.cc
+++ b/pdns/reczones.cc
@@ -318,7 +318,7 @@ string reloadAuthAndForwards()
 }
 
 
-void RPZIXFRTracker(const ComboAddress& master, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t zoneIdx, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, std::shared_ptr<DNSFilterEngine::Zone> zone)
+void RPZIXFRTracker(const ComboAddress& master, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t zoneIdx, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, std::shared_ptr<DNSFilterEngine::Zone> zone, const uint16_t axfrTimeout)
 {
   uint32_t refresh = zone->getRefresh();
   DNSName zoneName = zone->getDomain();
@@ -326,7 +326,7 @@ void RPZIXFRTracker(const ComboAddress& master, boost::optional<DNSFilterEngine:
 
   while (!sr) {
     try {
-      sr=loadRPZFromServer(master, zoneName, zone, defpol, maxTTL, tt, maxReceivedBytes, localAddress);
+      sr = loadRPZFromServer(master, zoneName, zone, defpol, maxTTL, tt, maxReceivedBytes, localAddress, axfrTimeout);
       if(refresh) {
         sr->d_st.refresh=refresh;
       }
diff --git a/pdns/rpzloader.cc b/pdns/rpzloader.cc
index 4ed461273..b717b7534 100644
--- a/pdns/rpzloader.cc
+++ b/pdns/rpzloader.cc
@@ -174,7 +174,7 @@ void RPZRecordToPolicy(const DNSRecord& dr, std::shared_ptr<DNSFilterEngine::Zon
   }
 }
 
-shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress)
+shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, uint16_t axfrTimeout)
 {
   L<<Logger::Warning<<"Loading RPZ zone '"<<zoneName<<"' from "<<master.toStringWithPort()<<endl;
   if(!tt.name.empty())
@@ -189,8 +189,10 @@ shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const
   Resolver::res_t nop;
   vector<DNSRecord> chunk;
   time_t last=0;
+  time_t axfrStart = time(0);
+  time_t axfrNow = time(0);
   shared_ptr<SOARecordContent> sr;
-  while(axfr.getChunk(nop, &chunk)) {
+  while(axfr.getChunk(nop, &chunk, (axfrStart + axfrTimeout - axfrNow))) {
     for(auto& dr : chunk) {
       if(dr.d_type==QType::NS || dr.d_type==QType::TSIG) {
 	continue;
@@ -205,6 +207,10 @@ shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const
       RPZRecordToPolicy(dr, zone, true, defpol, maxTTL);
       nrecords++;
     } 
+    axfrNow = time(nullptr);
+    if (axfrNow - axfrStart > axfrTimeout) {
+      throw PDNSException("Total AXFR time exceeded!");
+    }
     if(last != time(0)) {
       L<<Logger::Info<<"Loaded & indexed "<<nrecords<<" policy records so far"<<endl;
       last=time(0);
diff --git a/pdns/rpzloader.hh b/pdns/rpzloader.hh
index ac5751e60..aec9fd23a 100644
--- a/pdns/rpzloader.hh
+++ b/pdns/rpzloader.hh
@@ -27,6 +27,6 @@
 extern bool g_logRPZChanges;
 
 void loadRPZFromFile(const std::string& fname, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL);
-std::shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress);
+std::shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, const uint16_t axfrTimeout);
 void RPZRecordToPolicy(const DNSRecord& dr, std::shared_ptr<DNSFilterEngine::Zone> zone, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL);
-void RPZIXFRTracker(const ComboAddress& master, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t polZone, const TSIGTriplet &tt, size_t maxReceivedBytes, const ComboAddress& localAddress, std::shared_ptr<DNSFilterEngine::Zone> zone);
+void RPZIXFRTracker(const ComboAddress& master, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t polZone, const TSIGTriplet &tt, size_t maxReceivedBytes, const ComboAddress& localAddress, std::shared_ptr<DNSFilterEngine::Zone> zone, uint16_t axfrTimeout);