Commit 8fe18c05 authored by Ondřej Surý's avatar Ondřej Surý Committed by Michał Kępień
Browse files

Disable lame-ttl cache

The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>.  This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.

Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
parent 5f07ee0d
...@@ -160,7 +160,7 @@ options {\n\ ...@@ -160,7 +160,7 @@ options {\n\
fetches-per-server 0;\n\ fetches-per-server 0;\n\
fetches-per-zone 0;\n\ fetches-per-zone 0;\n\
glue-cache yes;\n\ glue-cache yes;\n\
lame-ttl 600;\n" lame-ttl 0;\n"
#ifdef HAVE_LMDB #ifdef HAVE_LMDB
" lmdb-mapsize 32M;\n" " lmdb-mapsize 32M;\n"
#endif /* ifdef HAVE_LMDB */ #endif /* ifdef HAVE_LMDB */
......
...@@ -4759,8 +4759,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, ...@@ -4759,8 +4759,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
result = named_config_get(maps, "lame-ttl", &obj); result = named_config_get(maps, "lame-ttl", &obj);
INSIST(result == ISC_R_SUCCESS); INSIST(result == ISC_R_SUCCESS);
lame_ttl = cfg_obj_asduration(obj); lame_ttl = cfg_obj_asduration(obj);
if (lame_ttl > 1800) { if (lame_ttl > 0) {
lame_ttl = 1800; cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
"disabling lame cache despite lame-ttl > 0 as it "
"may cause performance issues");
lame_ttl = 0;
} }
dns_resolver_setlamettl(view->resolver, lame_ttl); dns_resolver_setlamettl(view->resolver, lame_ttl);
......
...@@ -3350,9 +3350,9 @@ Tuning ...@@ -3350,9 +3350,9 @@ Tuning
^^^^^^ ^^^^^^
``lame-ttl`` ``lame-ttl``
This sets the number of seconds to cache a lame server indication. 0 This is always set to 0. More information is available in the
disables caching. (This is **NOT** recommended.) The default is `security advisory for CVE-2021-25219
``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes). <https://kb.isc.org/docs/cve-2021-25219>`_.
``servfail-ttl`` ``servfail-ttl``
This sets the number of seconds to cache a SERVFAIL response due to DNSSEC This sets the number of seconds to cache a SERVFAIL response due to DNSSEC
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment