summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2015-05-04 16:43:39 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-09 22:26:42 +0100
commit05956671a250e7664593e136d1d60cc2df36e245 (patch)
tree6f8862d781328447029afb139514de0f2c49aba3
parent29c7111362add0b4c457d11eecdb9c1928806e51 (diff)
downloadpoky-05956671a250e7664593e136d1d60cc2df36e245.tar.gz
bind: upgrade to 9.10.2
1. Remove two unneeded CVE patches, 9.10.2 fixed the CVE-2015-1349 also 2. Remove bind-subdirs-run-serially.patch and cross-build-fix.patch, similar fixes are merged into 9.10.2 3. update the dont-test-on-host.patch 4. update the Copyright file checksum, since the date in it has been changed. 5. replace the hardcode lib dir with $base_libdir in bind-add-crosscripts*.patch (From OE-Core rev: 41d53f0139a9cb29679dbcaaab8311a1364c65f4) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch40
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch2
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-subdirs-run-serially.patch35
-rw-r--r--meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch990
-rw-r--r--meta/recipes-connectivity/bind/bind/cross-build-fix.patch21
-rw-r--r--meta/recipes-connectivity/bind/bind/dont-test-on-host.patch4
-rw-r--r--meta/recipes-connectivity/bind/bind_9.10.2.bb (renamed from meta/recipes-connectivity/bind/bind_9.9.5.bb)10
7 files changed, 6 insertions, 1096 deletions
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch
deleted file mode 100644
index 1e159bd2f8..0000000000
--- a/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1bind: fix for CVE-2012-3817
2
3Upstream-Status: Backport
4
5ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2;
69.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation
7is enabled, does not properly initialize the failing-query cache, which allows
8remote attackers to cause a denial of service (assertion failure and daemon exit)
9by sending many queries.
10
11http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817
12
13This patch is back-ported from bind-9.3.6-20.P1.el5_8.2.src.rpm package.
14
15Signed-off-by: Ming Liu <ming.liu@windriver.com>
16---
17 resolver.c | 5 +++--
18 1 file changed, 3 insertions(+), 2 deletions(-)
19
20--- a/lib/dns/resolver.c
21+++ b/lib/dns/resolver.c
22@@ -8318,6 +8318,7 @@ dns_resolver_addbadcache(dns_resolver_t
23 goto cleanup;
24 bad->type = type;
25 bad->hashval = hashval;
26+ bad->expire = *expire;
27 isc_buffer_init(&buffer, bad + 1, name->length);
28 dns_name_init(&bad->name, NULL);
29 dns_name_copy(name, &bad->name, &buffer);
30@@ -8329,8 +8330,8 @@ dns_resolver_addbadcache(dns_resolver_t
31 if (resolver->badcount < resolver->badhash * 2 &&
32 resolver->badhash > DNS_BADCACHE_SIZE)
33 resizehash(resolver, &now, ISC_FALSE);
34- }
35- bad->expire = *expire;
36+ } else
37+ bad->expire = *expire;
38 cleanup:
39 UNLOCK(&resolver->lock);
40 }
diff --git a/meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch b/meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch
index 4f1a3f8e89..d24276cf9e 100644
--- a/meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch
@@ -24,7 +24,7 @@ index 3d04f4c..6032f67 100644
24 if test -f "$use_libxml2/bin/xml2-config" ; then 24 if test -f "$use_libxml2/bin/xml2-config" ; then
25 libxml2_libs=`$use_libxml2/bin/xml2-config --libs` 25 libxml2_libs=`$use_libxml2/bin/xml2-config --libs`
26 libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags` 26 libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags`
27+ elif test -f "$use_libxml2/lib/pkgconfig/libxml-2.0.pc" ; then 27+ elif test -f "$use_libxml2/$base_libdir/pkgconfig/libxml-2.0.pc" ; then
28+ libxml2_libs=`pkg-config libxml-2.0 --libs` 28+ libxml2_libs=`pkg-config libxml-2.0 --libs`
29+ libxml2_cflags=`pkg-config libxml-2.0 --cflags` 29+ libxml2_cflags=`pkg-config libxml-2.0 --cflags`
30 fi 30 fi
diff --git a/meta/recipes-connectivity/bind/bind/bind-subdirs-run-serially.patch b/meta/recipes-connectivity/bind/bind/bind-subdirs-run-serially.patch
deleted file mode 100644
index 9db7a1786f..0000000000
--- a/meta/recipes-connectivity/bind/bind/bind-subdirs-run-serially.patch
+++ /dev/null
@@ -1,35 +0,0 @@
1From b24468b6fe1f136bfd854773bc0e117aca0012d5 Mon Sep 17 00:00:00 2001
2From: Robert Yang <liezhi.yang@windriver.com>
3Date: Wed, 28 Jan 2015 01:23:09 -0800
4Subject: [PATCH] lib/export/isc/Makefile.in: let SUBDIRS run serially
5
6Fix parallel issue::
7make[2]: *** No rule to make target `nls/msgcat.o', needed by `libisc.a'. Stop.
8make[2]: *** Waiting for unfinished jobs....
9make[3]: Leaving directory `bind-9.9.5/lib/export/isc/unix'
10
11Upstream-Status: Pending
12
13Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
14---
15 lib/export/isc/Makefile.in | 4 ++++
16 1 file changed, 4 insertions(+)
17
18diff --git a/lib/export/isc/Makefile.in b/lib/export/isc/Makefile.in
19index a92f66f..27dabcb 100644
20--- a/lib/export/isc/Makefile.in
21+++ b/lib/export/isc/Makefile.in
22@@ -103,6 +103,10 @@ SRCS = @ISC_EXTRA_SRCS@ \
23
24 LIBS = @LIBS@
25
26+# Note: the order of SUBDIRS is important.
27+# Attempt to disable parallel processing.
28+.NOTPARALLEL:
29+.NO_PARALLEL:
30 SUBDIRS = include unix nls @ISC_THREAD_DIR@
31 TARGETS = timestamp
32
33--
341.7.9.5
35
diff --git a/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch
deleted file mode 100644
index 62142d2313..0000000000
--- a/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch
+++ /dev/null
@@ -1,990 +0,0 @@
1From 603a0e2637b35a2da820bc807f69bcf09c682dce Mon Sep 17 00:00:00 2001
2From: Evan Hunt <each@isc.org>
3Date: Mon, 17 Nov 2014 23:49:07 -0800
4Subject: [PATCH] [v9_9] limit recursion depth and iterative queries
5
64006. [security] A flaw in delegation handling could be exploited
7 to put named into an infinite loop. This has
8 been addressed by placing limits on the number
9 of levels of recursion named will allow (default 7),
10 and the number of iterative queries that it will
11 send (default 50) before terminating a recursive
12 query (CVE-2014-8500).
13
14 The recursion depth limit is configured via the
15 "max-recursion-depth" option. [RT #35780]
16
17Upstream-Status: Backport
18
19Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
20---
21 bin/named/config.c | 3 +-
22 bin/named/include/named/query.h | 2 -
23 bin/named/query.c | 7 ++-
24 bin/named/server.c | 5 ++
25 bin/tests/system/many/clean.sh | 7 +++
26 bin/tests/system/many/ns1/named.conf | 33 +++++++++++++
27 bin/tests/system/many/ns2/named.conf | 30 ++++++++++++
28 bin/tests/system/many/ns3/named.conf | 32 +++++++++++++
29 bin/tests/system/many/ns4/named.conf | 30 ++++++++++++
30 bin/tests/system/many/ns5/hints.db | 2 +
31 bin/tests/system/many/ns5/named.conf | 29 ++++++++++++
32 bin/tests/system/many/setup.sh | 75 ++++++++++++++++++++++++++++++
33 bin/tests/system/many/tests.sh | 48 +++++++++++++++++++
34 doc/arm/Bv9ARM-book.xml | 12 +++++
35 lib/dns/adb.c | 58 ++++++++++++++++-------
36 lib/dns/include/dns/adb.h | 8 ++++
37 lib/dns/include/dns/resolver.h | 25 ++++++++++
38 lib/dns/resolver.c | 90 ++++++++++++++++++++++++++++++------
39 lib/isccfg/namedconf.c | 1 +
40 20 files changed, 471 insertions(+), 37 deletions(-)
41 create mode 100644 bin/tests/system/many/clean.sh
42 create mode 100644 bin/tests/system/many/ns1/named.conf
43 create mode 100644 bin/tests/system/many/ns2/named.conf
44 create mode 100644 bin/tests/system/many/ns3/named.conf
45 create mode 100644 bin/tests/system/many/ns4/named.conf
46 create mode 100644 bin/tests/system/many/ns5/hints.db
47 create mode 100644 bin/tests/system/many/ns5/named.conf
48 create mode 100644 bin/tests/system/many/setup.sh
49 create mode 100644 bin/tests/system/many/tests.sh
50
51diff --git a/bin/named/config.c b/bin/named/config.c
52index 2782720..5ee8c4e 100644
53--- a/bin/named/config.c
54+++ b/bin/named/config.c
55@@ -15,8 +15,6 @@
56 * PERFORMANCE OF THIS SOFTWARE.
57 */
58
59-/* $Id: config.c,v 1.123 2012/01/06 23:46:41 tbox Exp $ */
60-
61 /*! \file */
62
63 #include <config.h>
64@@ -160,6 +158,7 @@ options {\n\
65 dnssec-accept-expired no;\n\
66 clients-per-query 10;\n\
67 max-clients-per-query 100;\n\
68+ max-recursion-depth 7;\n\
69 zero-no-soa-ttl-cache no;\n\
70 nsec3-test-zone no;\n\
71 allow-new-zones no;\n\
72diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
73index 3beabb8..b5e3900 100644
74--- a/bin/named/include/named/query.h
75+++ b/bin/named/include/named/query.h
76@@ -15,8 +15,6 @@
77 * PERFORMANCE OF THIS SOFTWARE.
78 */
79
80-/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */
81-
82 #ifndef NAMED_QUERY_H
83 #define NAMED_QUERY_H 1
84
85diff --git a/bin/named/query.c b/bin/named/query.c
86index 982f76d..47bfc6a 100644
87--- a/bin/named/query.c
88+++ b/bin/named/query.c
89@@ -3877,12 +3877,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
90 peeraddr = &client->peeraddr;
91 else
92 peeraddr = NULL;
93- result = dns_resolver_createfetch2(client->view->resolver,
94+ result = dns_resolver_createfetch3(client->view->resolver,
95 qname, qtype, qdomain, nameservers,
96 NULL, peeraddr, client->message->id,
97- client->query.fetchoptions,
98- client->task,
99- query_resume, client,
100+ client->query.fetchoptions, 0,
101+ client->task, query_resume, client,
102 rdataset, sigrdataset,
103 &client->query.fetch);
104
105diff --git a/bin/named/server.c b/bin/named/server.c
106index ac015a4..0559977 100644
107--- a/bin/named/server.c
108+++ b/bin/named/server.c
109@@ -3161,6 +3161,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
110 cfg_obj_asuint32(obj),
111 max_clients_per_query);
112
113+ obj = NULL;
114+ result = ns_config_get(maps, "max-recursion-depth", &obj);
115+ INSIST(result == ISC_R_SUCCESS);
116+ dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
117+
118 #ifdef ALLOW_FILTER_AAAA_ON_V4
119 obj = NULL;
120 result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
121diff --git a/bin/tests/system/many/clean.sh b/bin/tests/system/many/clean.sh
122new file mode 100644
123index 0000000..119b1f5
124--- /dev/null
125+++ b/bin/tests/system/many/clean.sh
126@@ -0,0 +1,7 @@
127+rm -f ns1/[1-9]*example.tld?.db
128+rm -f ns2/[1-9]*example.tld?.db
129+rm -f ns1/zones.conf
130+rm -f ns2/zones.conf
131+rm -f */root.db
132+rm -f ns3/tld1.db
133+rm -f ns4/tld2.db
134diff --git a/bin/tests/system/many/ns1/named.conf b/bin/tests/system/many/ns1/named.conf
135new file mode 100644
136index 0000000..abc9dca
137--- /dev/null
138+++ b/bin/tests/system/many/ns1/named.conf
139@@ -0,0 +1,33 @@
140+/*
141+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
142+ *
143+ * Permission to use, copy, modify, and/or distribute this software for any
144+ * purpose with or without fee is hereby granted, provided that the above
145+ * copyright notice and this permission notice appear in all copies.
146+ *
147+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
148+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
149+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
150+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
151+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
152+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
153+ * PERFORMANCE OF THIS SOFTWARE.
154+ */
155+
156+controls { /* empty */ };
157+
158+options {
159+ query-source address 10.53.0.1;
160+ notify-source 10.53.0.1;
161+ transfer-source 10.53.0.1;
162+ port 5300;
163+ pid-file "named.pid";
164+ listen-on { 10.53.0.1; };
165+ listen-on-v6 { none; };
166+ recursion no;
167+};
168+
169+include "zones.conf";
170+
171+// zone "tld1" { type master; file "tld1.db"; };
172+// zone "tld2" { type master; file "tld2.db"; };
173diff --git a/bin/tests/system/many/ns2/named.conf b/bin/tests/system/many/ns2/named.conf
174new file mode 100644
175index 0000000..16266e2
176--- /dev/null
177+++ b/bin/tests/system/many/ns2/named.conf
178@@ -0,0 +1,30 @@
179+/*
180+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
181+ *
182+ * Permission to use, copy, modify, and/or distribute this software for any
183+ * purpose with or without fee is hereby granted, provided that the above
184+ * copyright notice and this permission notice appear in all copies.
185+ *
186+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
187+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
188+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
189+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
190+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
191+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
192+ * PERFORMANCE OF THIS SOFTWARE.
193+ */
194+
195+controls { /* empty */ };
196+
197+options {
198+ query-source address 10.53.0.2;
199+ notify-source 10.53.0.2;
200+ transfer-source 10.53.0.2;
201+ port 5300;
202+ pid-file "named.pid";
203+ listen-on { 10.53.0.2; };
204+ listen-on-v6 { none; };
205+ recursion no;
206+};
207+
208+include "zones.conf";
209diff --git a/bin/tests/system/many/ns3/named.conf b/bin/tests/system/many/ns3/named.conf
210new file mode 100644
211index 0000000..b950afe
212--- /dev/null
213+++ b/bin/tests/system/many/ns3/named.conf
214@@ -0,0 +1,32 @@
215+/*
216+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
217+ *
218+ * Permission to use, copy, modify, and/or distribute this software for any
219+ * purpose with or without fee is hereby granted, provided that the above
220+ * copyright notice and this permission notice appear in all copies.
221+ *
222+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
223+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
224+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
225+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
226+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
227+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
228+ * PERFORMANCE OF THIS SOFTWARE.
229+ */
230+
231+controls { /* empty */ };
232+
233+options {
234+ query-source address 10.53.0.3;
235+ notify-source 10.53.0.3;
236+ transfer-source 10.53.0.3;
237+ port 5300;
238+ pid-file "named.pid";
239+ listen-on { 10.53.0.3; };
240+ listen-on-v6 { none; };
241+ recursion no;
242+};
243+
244+zone "." { type master; file "root.db"; };
245+
246+zone "tld1" { type master; file "tld1.db"; };
247diff --git a/bin/tests/system/many/ns4/named.conf b/bin/tests/system/many/ns4/named.conf
248new file mode 100644
249index 0000000..ca9aa6a
250--- /dev/null
251+++ b/bin/tests/system/many/ns4/named.conf
252@@ -0,0 +1,30 @@
253+/*
254+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
255+ *
256+ * Permission to use, copy, modify, and/or distribute this software for any
257+ * purpose with or without fee is hereby granted, provided that the above
258+ * copyright notice and this permission notice appear in all copies.
259+ *
260+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
261+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
262+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
263+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
264+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
265+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
266+ * PERFORMANCE OF THIS SOFTWARE.
267+ */
268+
269+controls { /* empty */ };
270+
271+options {
272+ query-source address 10.53.0.4;
273+ notify-source 10.53.0.4;
274+ transfer-source 10.53.0.4;
275+ port 5300;
276+ pid-file "named.pid";
277+ listen-on { 10.53.0.4; };
278+ listen-on-v6 { none; };
279+ recursion no;
280+};
281+
282+zone "tld2" { type master; file "tld2.db"; };
283diff --git a/bin/tests/system/many/ns5/hints.db b/bin/tests/system/many/ns5/hints.db
284new file mode 100644
285index 0000000..c05809b
286--- /dev/null
287+++ b/bin/tests/system/many/ns5/hints.db
288@@ -0,0 +1,2 @@
289+. 60 in ns ns.nil.
290+ns.nil. 60 in A 10.53.0.3
291diff --git a/bin/tests/system/many/ns5/named.conf b/bin/tests/system/many/ns5/named.conf
292new file mode 100644
293index 0000000..fce7d59
294--- /dev/null
295+++ b/bin/tests/system/many/ns5/named.conf
296@@ -0,0 +1,29 @@
297+/*
298+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
299+ *
300+ * Permission to use, copy, modify, and/or distribute this software for any
301+ * purpose with or without fee is hereby granted, provided that the above
302+ * copyright notice and this permission notice appear in all copies.
303+ *
304+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
305+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
306+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
307+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
308+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
309+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
310+ * PERFORMANCE OF THIS SOFTWARE.
311+ */
312+
313+controls { /* empty */ };
314+
315+options {
316+ query-source address 10.53.0.5;
317+ notify-source 10.53.0.5;
318+ transfer-source 10.53.0.5;
319+ port 5300;
320+ pid-file "named.pid";
321+ listen-on { 10.53.0.5; };
322+ listen-on-v6 { none; };
323+};
324+
325+zone "." { type hint; file "hints.db"; };
326diff --git a/bin/tests/system/many/setup.sh b/bin/tests/system/many/setup.sh
327new file mode 100644
328index 0000000..80695b5
329--- /dev/null
330+++ b/bin/tests/system/many/setup.sh
331@@ -0,0 +1,75 @@
332+i=1
333+
334+cat > ns3/root.db << EOF
335+. 60 in soa ns.nil. hostmaster.ns.nil. 1 0 0 0 0
336+. 60 in ns ns.nil.
337+ns.nil. 60 in a 10.53.0.3
338+tld1. 60 in ns ns.tld1.
339+ns.tld1. 60 in a 10.53.0.3
340+tld2. 60 in ns ns.tld2.
341+ns.tld2. 60 in a 10.53.0.4
342+EOF
343+
344+cat > ns3/tld1.db << EOF
345+tld1. 60 in soa ns.tld1. hostmaster.ns.tld1. 1 0 0 0 0
346+tld1. 60 in ns ns.tld1.
347+ns.tld1. 60 in a 10.53.0.1
348+EOF
349+
350+cat > ns4/tld2.db << EOF
351+tld2. 60 in soa ns.tld2. hostmaster.ns.tld4. 1 0 0 0 0
352+tld2. 60 in ns ns.tld2.
353+ns.tld2. 60 in a 10.53.0.1
354+EOF
355+
356+: > ns1/zones.conf
357+: > ns2/zones.conf
358+
359+while [ $i -lt 1000 ]
360+do
361+j=`expr $i + 1`
362+s=`expr $j % 2 + 1`
363+n=`expr $i % 2 + 1`
364+t=`expr $s + 2`
365+
366+# i=1 j=2 s=1 n=2
367+# i=2 j=3 s=1 n=2
368+# i=3 j=4 s=1 n=2
369+
370+cat > ns1/${i}example.tld${s}.db << EOF
371+${i}example.tld${s}. 60 in soa ns.${j}example.tld${n}. hostmaster 1 0 0 0 0
372+${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}.
373+ns.${i}example.tld${s}. 60 in a 10.53.0.1
374+EOF
375+
376+cat >> ns1/zones.conf << EOF
377+zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; };
378+EOF
379+
380+cat >> ns${t}/tld${s}.db << EOF
381+${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}.
382+EOF
383+
384+i=$j
385+
386+done
387+
388+j=`expr $i + 1`
389+s=`expr $j % 2 + 1`
390+n=`expr $s % 2 + 1`
391+t=`expr $s + 2`
392+
393+cat > ns1/${i}example.tld${s}.db << EOF
394+${i}example.tld${s}. 60 in soa ns.${i}example.tld${s}. hostmaster 1 0 0 0 0
395+${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}.
396+ns.${i}example.tld${s}. 60 in a 10.53.0.1
397+EOF
398+
399+cat >> ns1/zones.conf << EOF
400+zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; };
401+EOF
402+
403+cat >> ns${t}/tld${s}.db << EOF
404+${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}.
405+ns.${i}example.tld${s}. 60 in a 10.53.0.1
406+EOF
407diff --git a/bin/tests/system/many/tests.sh b/bin/tests/system/many/tests.sh
408new file mode 100644
409index 0000000..37964e2
410--- /dev/null
411+++ b/bin/tests/system/many/tests.sh
412@@ -0,0 +1,48 @@
413+#!/bin/sh
414+#
415+# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
416+#
417+# Permission to use, copy, modify, and/or distribute this software for any
418+# purpose with or without fee is hereby granted, provided that the above
419+# copyright notice and this permission notice appear in all copies.
420+#
421+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
422+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
423+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
424+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
425+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
426+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
427+# PERFORMANCE OF THIS SOFTWARE.
428+
429+SYSTEMTESTTOP=..
430+. $SYSTEMTESTTOP/conf.sh
431+
432+status=0
433+n=0
434+
435+n=`expr $n + 1`
436+echo "I: attempt lookup 1example.tld2 soa ($n)"
437+ret=0
438+$DIG +tcp 1example.tld1 soa @10.53.0.5 -p 5300 > dig.out.test$n
439+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
440+if [ $ret != 0 ]; then echo "I:failed"; fi
441+status=`expr $status + $ret`
442+
443+n=`expr $n + 1`
444+echo "I: attempt lookup 992example.tld2 soa ($n)"
445+ret=0
446+$DIG +tcp 992example.tld2 soa @10.53.0.5 -p 5300 > dig.out.test$n
447+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
448+if [ $ret != 0 ]; then echo "I:failed"; fi
449+status=`expr $status + $ret`
450+
451+n=`expr $n + 1`
452+echo "I: attempt lookup 993example.tld1 soa ($n)"
453+ret=0
454+$DIG +tcp 993example.tld1 soa @10.53.0.5 -p 5300 > dig.out.test$n
455+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
456+if [ $ret != 0 ]; then echo "I:failed"; fi
457+status=`expr $status + $ret`
458+
459+echo "I:exit status: $status"
460+exit $status
461diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
462index 9f7bd38..fff4249 100644
463--- a/doc/arm/Bv9ARM-book.xml
464+++ b/doc/arm/Bv9ARM-book.xml
465@@ -4861,6 +4861,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
466 <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
467 <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
468 <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
469+ <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional>
470 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
471 <optional> empty-server <replaceable>name</replaceable> ; </optional>
472 <optional> empty-contact <replaceable>name</replaceable> ; </optional>
473@@ -8680,6 +8681,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
474 </listitem>
475 </varlistentry>
476
477+ <varlistentry id="max-recursion-depth">
478+ <term><command>max-recursion-depth</command></term>
479+ <listitem>
480+ <para>
481+ Sets the maximum number of levels of recursion
482+ permitted at any one time while resolving a name.
483+ The default is 7.
484+ </para>
485+ </listitem>
486+ </varlistentry>
487+
488 <varlistentry>
489 <term><command>notify-delay</command></term>
490 <listitem>
491diff --git a/lib/dns/adb.c b/lib/dns/adb.c
492index 2ccb51e..fe9b3f7 100644
493--- a/lib/dns/adb.c
494+++ b/lib/dns/adb.c
495@@ -199,6 +199,7 @@ struct dns_adbfetch {
496 unsigned int magic;
497 dns_fetch_t *fetch;
498 dns_rdataset_t rdataset;
499+ unsigned int depth;
500 };
501
502 /*%
503@@ -300,7 +301,7 @@ static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
504 static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
505 static void clean_target(dns_adb_t *, dns_name_t *);
506 static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
507- unsigned int);
508+ isc_uint32_t, unsigned int);
509 static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
510 static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **,
511 isc_stdtime_t);
512@@ -308,7 +309,7 @@ static void cancel_fetches_at_name(dns_adbname_t *);
513 static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
514 dns_rdatatype_t);
515 static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
516- dns_rdatatype_t);
517+ unsigned int, dns_rdatatype_t);
518 static inline void check_exit(dns_adb_t *);
519 static void destroy(dns_adb_t *);
520 static isc_boolean_t shutdown_names(dns_adb_t *);
521@@ -984,7 +985,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
522 * Clean up the name's various lists. These two are destructive
523 * in that they will always empty the list.
524 */
525- clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
526+ clean_finds_at_name(name, ev, 0, DNS_ADBFIND_ADDRESSMASK);
527 result4 = clean_namehooks(adb, &name->v4);
528 result6 = clean_namehooks(adb, &name->v6);
529 clean_target(adb, &name->target);
530@@ -1409,7 +1410,7 @@ event_free(isc_event_t *event) {
531 */
532 static void
533 clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
534- unsigned int addrs)
535+ isc_uint32_t qtotal, unsigned int addrs)
536 {
537 isc_event_t *ev;
538 isc_task_t *task;
539@@ -1469,6 +1470,7 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
540 ev->ev_sender = find;
541 find->result_v4 = find_err_map[name->fetch_err];
542 find->result_v6 = find_err_map[name->fetch6_err];
543+ find->qtotal += qtotal;
544 ev->ev_type = evtype;
545 ev->ev_destroy = event_free;
546 ev->ev_destroy_arg = find;
547@@ -1827,6 +1829,7 @@ new_adbfind(dns_adb_t *adb) {
548 h->flags = 0;
549 h->result_v4 = ISC_R_UNEXPECTED;
550 h->result_v6 = ISC_R_UNEXPECTED;
551+ h->qtotal = 0;
552 ISC_LINK_INIT(h, publink);
553 ISC_LINK_INIT(h, plink);
554 ISC_LIST_INIT(h->list);
555@@ -2799,6 +2802,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
556 isc_stdtime_t now, dns_name_t *target,
557 in_port_t port, dns_adbfind_t **findp)
558 {
559+ return (dns_adb_createfind2(adb, task, action, arg, name,
560+ qname, qtype, options, now,
561+ target, port, 0, findp));
562+}
563+
564+isc_result_t
565+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
566+ void *arg, dns_name_t *name, dns_name_t *qname,
567+ dns_rdatatype_t qtype, unsigned int options,
568+ isc_stdtime_t now, dns_name_t *target,
569+ in_port_t port, unsigned int depth,
570+ dns_adbfind_t **findp)
571+{
572 dns_adbfind_t *find;
573 dns_adbname_t *adbname;
574 int bucket;
575@@ -3029,7 +3045,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
576 * Start V4.
577 */
578 if (WANT_INET(wanted_fetches) &&
579- fetch_name(adbname, start_at_zone,
580+ fetch_name(adbname, start_at_zone, depth,
581 dns_rdatatype_a) == ISC_R_SUCCESS) {
582 DP(DEF_LEVEL,
583 "dns_adb_createfind: started A fetch for name %p",
584@@ -3040,7 +3056,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
585 * Start V6.
586 */
587 if (WANT_INET6(wanted_fetches) &&
588- fetch_name(adbname, start_at_zone,
589+ fetch_name(adbname, start_at_zone, depth,
590 dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
591 DP(DEF_LEVEL,
592 "dns_adb_createfind: "
593@@ -3656,6 +3672,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
594 isc_result_t result;
595 unsigned int address_type;
596 isc_boolean_t want_check_exit = ISC_FALSE;
597+ isc_uint32_t qtotal = 0;
598
599 UNUSED(task);
600
601@@ -3666,6 +3683,8 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
602 adb = name->adb;
603 INSIST(DNS_ADB_VALID(adb));
604
605+ qtotal = dev->qtotal;
606+
607 bucket = name->lock_bucket;
608 LOCK(&adb->namelocks[bucket]);
609
610@@ -3783,6 +3802,12 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
611 DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
612 buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
613 dns_result_totext(dev->result));
614+ /*
615+ * Don't record a failure unless this is the initial
616+ * fetch of a chain.
617+ */
618+ if (fetch->depth > 1)
619+ goto out;
620 /* XXXMLG Don't pound on bad servers. */
621 if (address_type == DNS_ADBFIND_INET) {
622 name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
623@@ -3814,15 +3839,14 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
624 free_adbfetch(adb, &fetch);
625 isc_event_free(&ev);
626
627- clean_finds_at_name(name, ev_status, address_type);
628+ clean_finds_at_name(name, ev_status, qtotal, address_type);
629
630 UNLOCK(&adb->namelocks[bucket]);
631 }
632
633 static isc_result_t
634-fetch_name(dns_adbname_t *adbname,
635- isc_boolean_t start_at_zone,
636- dns_rdatatype_t type)
637+fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone,
638+ unsigned int depth, dns_rdatatype_t type)
639 {
640 isc_result_t result;
641 dns_adbfetch_t *fetch = NULL;
642@@ -3867,12 +3891,14 @@ fetch_name(dns_adbname_t *adbname,
643 result = ISC_R_NOMEMORY;
644 goto cleanup;
645 }
646-
647- result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
648- type, name, nameservers, NULL,
649- options, adb->task, fetch_callback,
650- adbname, &fetch->rdataset, NULL,
651- &fetch->fetch);
652+ fetch->depth = depth;
653+
654+ result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name,
655+ type, name, nameservers, NULL,
656+ NULL, 0, options, depth, adb->task,
657+ fetch_callback, adbname,
658+ &fetch->rdataset, NULL,
659+ &fetch->fetch);
660 if (result != ISC_R_SUCCESS)
661 goto cleanup;
662
663diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
664index 35350ff..7501f01 100644
665--- a/lib/dns/include/dns/adb.h
666+++ b/lib/dns/include/dns/adb.h
667@@ -118,6 +118,8 @@ struct dns_adbfind {
668 isc_result_t result_v6; /*%< RO: v6 result */
669 ISC_LINK(dns_adbfind_t) publink; /*%< RW: client use */
670
671+ isc_uint32_t qtotal;
672+
673 /* Private */
674 isc_mutex_t lock; /* locks all below */
675 in_port_t port;
676@@ -334,6 +336,12 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
677 dns_rdatatype_t qtype, unsigned int options,
678 isc_stdtime_t now, dns_name_t *target,
679 in_port_t port, dns_adbfind_t **find);
680+isc_result_t
681+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
682+ void *arg, dns_name_t *name, dns_name_t *qname,
683+ dns_rdatatype_t qtype, unsigned int options,
684+ isc_stdtime_t now, dns_name_t *target, in_port_t port,
685+ unsigned int depth, dns_adbfind_t **find);
686 /*%<
687 * Main interface for clients. The adb will look up the name given in
688 * "name" and will build up a list of found addresses, and perhaps start
689diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
690index 4e20eb6..c256049 100644
691--- a/lib/dns/include/dns/resolver.h
692+++ b/lib/dns/include/dns/resolver.h
693@@ -82,6 +82,7 @@ typedef struct dns_fetchevent {
694 isc_sockaddr_t * client;
695 dns_messageid_t id;
696 isc_result_t vresult;
697+ isc_uint32_t qtotal;
698 } dns_fetchevent_t;
699
700 /*
701@@ -275,6 +276,18 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
702 dns_rdataset_t *rdataset,
703 dns_rdataset_t *sigrdataset,
704 dns_fetch_t **fetchp);
705+isc_result_t
706+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
707+ dns_rdatatype_t type,
708+ dns_name_t *domain, dns_rdataset_t *nameservers,
709+ dns_forwarders_t *forwarders,
710+ isc_sockaddr_t *client, isc_uint16_t id,
711+ unsigned int options, unsigned int depth,
712+ isc_task_t *task,
713+ isc_taskaction_t action, void *arg,
714+ dns_rdataset_t *rdataset,
715+ dns_rdataset_t *sigrdataset,
716+ dns_fetch_t **fetchp);
717 /*%<
718 * Recurse to answer a question.
719 *
720@@ -576,6 +589,18 @@ dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp);
721 * \li resolver to be valid.
722 */
723
724+void
725+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth);
726+unsigned int
727+dns_resolver_getmaxdepth(dns_resolver_t *resolver);
728+/*%
729+ * Get and set how many NS indirections will be followed when looking for
730+ * nameserver addresses.
731+ *
732+ * Requires:
733+ * \li resolver to be valid.
734+ */
735+
736 ISC_LANG_ENDDECLS
737
738 #endif /* DNS_RESOLVER_H */
739diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
740index e517dad..6a635b2 100644
741--- a/lib/dns/resolver.c
742+++ b/lib/dns/resolver.c
743@@ -131,6 +131,16 @@
744 #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
745 #endif
746
747+/* The default maximum number of recursions to follow before giving up. */
748+#ifndef DEFAULT_RECURSION_DEPTH
749+#define DEFAULT_RECURSION_DEPTH 7
750+#endif
751+
752+/* The default maximum number of iterative queries to allow before giving up. */
753+#ifndef DEFAULT_MAX_QUERIES
754+#define DEFAULT_MAX_QUERIES 50
755+#endif
756+
757 /*%
758 * Maximum EDNS0 input packet size.
759 */
760@@ -297,6 +307,7 @@ struct fetchctx {
761 isc_uint64_t duration;
762 isc_boolean_t logged;
763 unsigned int querysent;
764+ unsigned int totalqueries;
765 unsigned int referrals;
766 unsigned int lamecount;
767 unsigned int neterr;
768@@ -307,6 +318,7 @@ struct fetchctx {
769 isc_boolean_t timeout;
770 dns_adbaddrinfo_t *addrinfo;
771 isc_sockaddr_t *client;
772+ unsigned int depth;
773 };
774
775 #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
776@@ -419,6 +431,7 @@ struct dns_resolver {
777 isc_timer_t * spillattimer;
778 isc_boolean_t zero_no_soa_ttl;
779 unsigned int query_timeout;
780+ unsigned int maxdepth;
781
782 /* Locked by lock. */
783 unsigned int references;
784@@ -1097,6 +1110,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
785 event->result == DNS_R_NCACHENXRRSET);
786 }
787
788+ event->qtotal = fctx->totalqueries;
789 isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
790 count++;
791 }
792@@ -1537,7 +1551,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
793 if (result != ISC_R_SUCCESS)
794 goto cleanup_dispatch;
795 }
796+
797 fctx->querysent++;
798+ fctx->totalqueries++;
799
800 ISC_LIST_APPEND(fctx->queries, query, link);
801 query->fctx->nqueries++;
802@@ -2194,9 +2210,10 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
803 */
804 INSIST(!SHUTTINGDOWN(fctx));
805 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
806- if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
807+ if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
808 want_try = ISC_TRUE;
809- else {
810+ fctx->totalqueries += find->qtotal;
811+ } else {
812 fctx->findfail++;
813 if (fctx->pending == 0) {
814 /*
815@@ -2479,12 +2496,13 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
816 * See what we know about this address.
817 */
818 find = NULL;
819- result = dns_adb_createfind(fctx->adb,
820- res->buckets[fctx->bucketnum].task,
821- fctx_finddone, fctx, name,
822- &fctx->name, fctx->type,
823- options, now, NULL,
824- res->view->dstport, &find);
825+ result = dns_adb_createfind2(fctx->adb,
826+ res->buckets[fctx->bucketnum].task,
827+ fctx_finddone, fctx, name,
828+ &fctx->name, fctx->type,
829+ options, now, NULL,
830+ res->view->dstport,
831+ fctx->depth + 1, &find);
832 if (result != ISC_R_SUCCESS) {
833 if (result == DNS_R_ALIAS) {
834 /*
835@@ -2592,6 +2610,11 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
836
837 res = fctx->res;
838
839+ if (fctx->depth > res->maxdepth) {
840+ FCTXTRACE("too much NS indirection");
841+ return (DNS_R_SERVFAIL);
842+ }
843+
844 /*
845 * Forwarders.
846 */
847@@ -3030,6 +3053,9 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
848
849 REQUIRE(!ADDRWAIT(fctx));
850
851+ if (fctx->totalqueries > DEFAULT_MAX_QUERIES)
852+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
853+
854 addrinfo = fctx_nextaddress(fctx);
855 if (addrinfo == NULL) {
856 /*
857@@ -3388,6 +3414,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
858 * Normal fctx startup.
859 */
860 fctx->state = fetchstate_active;
861+ fctx->totalqueries = 0;
862 /*
863 * Reset the control event for later use in shutting down
864 * the fctx.
865@@ -3457,6 +3484,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
866 event->fetch = fetch;
867 event->client = client;
868 event->id = id;
869+ event->qtotal = 0;
870 dns_fixedname_init(&event->foundname);
871
872 /*
873@@ -3493,7 +3521,8 @@ log_ns_ttl(fetchctx_t *fctx, const char *where) {
874 static isc_result_t
875 fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
876 dns_name_t *domain, dns_rdataset_t *nameservers,
877- unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
878+ unsigned int options, unsigned int bucketnum, unsigned int depth,
879+ fetchctx_t **fctxp)
880 {
881 fetchctx_t *fctx;
882 isc_result_t result;
883@@ -3545,6 +3574,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
884 fctx->state = fetchstate_init;
885 fctx->want_shutdown = ISC_FALSE;
886 fctx->cloned = ISC_FALSE;
887+ fctx->depth = depth;
888 ISC_LIST_INIT(fctx->queries);
889 ISC_LIST_INIT(fctx->finds);
890 ISC_LIST_INIT(fctx->altfinds);
891@@ -3563,6 +3593,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
892 fctx->pending = 0;
893 fctx->restarts = 0;
894 fctx->querysent = 0;
895+ fctx->totalqueries = 0;
896 fctx->referrals = 0;
897 TIME_NOW(&fctx->start);
898 fctx->timeouts = 0;
899@@ -7781,6 +7812,7 @@ dns_resolver_create(dns_view_t *view,
900 res->spillattimer = NULL;
901 res->zero_no_soa_ttl = ISC_FALSE;
902 res->query_timeout = DEFAULT_QUERY_TIMEOUT;
903+ res->maxdepth = DEFAULT_RECURSION_DEPTH;
904 res->nbuckets = ntasks;
905 res->activebuckets = ntasks;
906 res->buckets = isc_mem_get(view->mctx,
907@@ -8219,9 +8251,9 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
908 dns_rdataset_t *sigrdataset,
909 dns_fetch_t **fetchp)
910 {
911- return (dns_resolver_createfetch2(res, name, type, domain,
912+ return (dns_resolver_createfetch3(res, name, type, domain,
913 nameservers, forwarders, NULL, 0,
914- options, task, action, arg,
915+ options, 0, task, action, arg,
916 rdataset, sigrdataset, fetchp));
917 }
918
919@@ -8237,6 +8269,25 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
920 dns_rdataset_t *sigrdataset,
921 dns_fetch_t **fetchp)
922 {
923+ return (dns_resolver_createfetch3(res, name, type, domain,
924+ nameservers, forwarders, client, id,
925+ options, 0, task, action, arg,
926+ rdataset, sigrdataset, fetchp));
927+}
928+
929+isc_result_t
930+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
931+ dns_rdatatype_t type,
932+ dns_name_t *domain, dns_rdataset_t *nameservers,
933+ dns_forwarders_t *forwarders,
934+ isc_sockaddr_t *client, dns_messageid_t id,
935+ unsigned int options, unsigned int depth,
936+ isc_task_t *task,
937+ isc_taskaction_t action, void *arg,
938+ dns_rdataset_t *rdataset,
939+ dns_rdataset_t *sigrdataset,
940+ dns_fetch_t **fetchp)
941+{
942 dns_fetch_t *fetch;
943 fetchctx_t *fctx = NULL;
944 isc_result_t result = ISC_R_SUCCESS;
945@@ -8325,11 +8376,12 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
946
947 if (fctx == NULL) {
948 result = fctx_create(res, name, type, domain, nameservers,
949- options, bucketnum, &fctx);
950+ options, bucketnum, depth, &fctx);
951 if (result != ISC_R_SUCCESS)
952 goto unlock;
953 new_fctx = ISC_TRUE;
954- }
955+ } else if (fctx->depth > depth)
956+ fctx->depth = depth;
957
958 result = fctx_join(fctx, task, client, id, action, arg,
959 rdataset, sigrdataset, fetch);
960@@ -9101,3 +9153,15 @@ dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
961
962 resolver->query_timeout = seconds;
963 }
964+
965+void
966+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
967+ REQUIRE(VALID_RESOLVER(resolver));
968+ resolver->maxdepth = maxdepth;
969+}
970+
971+unsigned int
972+dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
973+ REQUIRE(VALID_RESOLVER(resolver));
974+ return (resolver->maxdepth);
975+}
976diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
977index bfd4bab..5f8b037 100644
978--- a/lib/isccfg/namedconf.c
979+++ b/lib/isccfg/namedconf.c
980@@ -1393,6 +1393,7 @@ view_clauses[] = {
981 { "max-cache-ttl", &cfg_type_uint32, 0 },
982 { "max-clients-per-query", &cfg_type_uint32, 0 },
983 { "max-ncache-ttl", &cfg_type_uint32, 0 },
984+ { "max-recursion-depth", &cfg_type_uint32, 0 },
985 { "max-udp-size", &cfg_type_uint32, 0 },
986 { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
987 { "minimal-responses", &cfg_type_boolean, 0 },
988--
9891.9.1
990
diff --git a/meta/recipes-connectivity/bind/bind/cross-build-fix.patch b/meta/recipes-connectivity/bind/bind/cross-build-fix.patch
deleted file mode 100644
index 4c37b6b00c..0000000000
--- a/meta/recipes-connectivity/bind/bind/cross-build-fix.patch
+++ /dev/null
@@ -1,21 +0,0 @@
1Upstream-Status: Inappropriate [configuration]
2
311/30/2010
4gen.c should be build by ${BUILD_CC}
5
6Signed-off-by: Qing He <qing.he@intel.com>
7
8diff --git a/lib/export/dns/Makefile.in b/lib/export/dns/Makefile.in
9index aeadf57..d3fae74 100644
10--- a/lib/export/dns/Makefile.in
11+++ b/lib/export/dns/Makefile.in
12@@ -166,7 +166,8 @@ code.h: gen
13 ./gen -s ${srcdir} > code.h
14
15 gen: ${srcdir}/gen.c
16- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS}
17+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
18+ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
19
20 #We don't need rbtdb64 for this library
21 #rbtdb64.@O@: rbtdb.c
diff --git a/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch
index 288e58bb60..6989d6d4b0 100644
--- a/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch
+++ b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch
@@ -10,8 +10,8 @@ Index: bind-9.9.5/bin/Makefile.in
10 VPATH = @srcdir@ 10 VPATH = @srcdir@
11 top_srcdir = @top_srcdir@ 11 top_srcdir = @top_srcdir@
12 12
13-SUBDIRS = named rndc dig dnssec tools tests nsupdate \ 13-SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \
14+SUBDIRS = named rndc dig dnssec tools nsupdate \ 14+SUBDIRS = named rndc dig delv dnssec tools nsupdate \
15 check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ 15 check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
16 TARGETS = 16 TARGETS =
17 17
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.10.2.bb
index e34cdedde7..21be397a9a 100644
--- a/meta/recipes-connectivity/bind/bind_9.9.5.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2.bb
@@ -3,13 +3,12 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
3SECTION = "console/network" 3SECTION = "console/network"
4 4
5LICENSE = "ISC & BSD" 5LICENSE = "ISC & BSD"
6LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=a3df5f651469919a0e6cb42f84fb6ff1" 6LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f"
7 7
8DEPENDS = "openssl libcap" 8DEPENDS = "openssl libcap"
9 9
10SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ 10SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
11 file://conf.patch \ 11 file://conf.patch \
12 file://cross-build-fix.patch \
13 file://make-etc-initd-bind-stop-work.patch \ 12 file://make-etc-initd-bind-stop-work.patch \
14 file://mips1-not-support-opcode.diff \ 13 file://mips1-not-support-opcode.diff \
15 file://dont-test-on-host.patch \ 14 file://dont-test-on-host.patch \
@@ -17,14 +16,12 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
17 file://named.service \ 16 file://named.service \
18 file://bind9 \ 17 file://bind9 \
19 file://init.d-add-support-for-read-only-rootfs.patch \ 18 file://init.d-add-support-for-read-only-rootfs.patch \
20 file://bind9_9_5-CVE-2014-8500.patch \
21 file://bind-add-crosscripts-search-path-for-xml2-config.patch \ 19 file://bind-add-crosscripts-search-path-for-xml2-config.patch \
22 file://bind-subdirs-run-serially.patch \
23 file://bind-confgen-build-unix.o-once.patch \ 20 file://bind-confgen-build-unix.o-once.patch \
24 " 21 "
25 22
26SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" 23SRC_URI[md5sum] = "dca7a9967947bffa98547fca6130fc04"
27SRC_URI[sha256sum] = "d4b64c1dde442145a316679acff2df4008aa117ae52dfa3a6bc69efecc7840d1" 24SRC_URI[sha256sum] = "6f9bb7908aa45c1edfa391e356fc0afc1ded175386cdefb6cf9e1289f7457a98"
28 25
29# --enable-exportlib is necessary for building dhcp 26# --enable-exportlib is necessary for building dhcp
30ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" 27ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
@@ -33,7 +30,6 @@ EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \
33 --with-gssapi=no --with-ecdsa=yes \ 30 --with-gssapi=no --with-ecdsa=yes \
34 --sysconfdir=${sysconfdir}/bind \ 31 --sysconfdir=${sysconfdir}/bind \
35 --with-openssl=${STAGING_LIBDIR}/.. \ 32 --with-openssl=${STAGING_LIBDIR}/.. \
36 --enable-exportlib --with-export-includedir=${includedir} --with-export-libdir=${libdir} \
37 " 33 "
38inherit autotools-brokensep update-rc.d systemd useradd pkgconfig 34inherit autotools-brokensep update-rc.d systemd useradd pkgconfig
39 35