commit 00f12c3365fbb1f8a185a9972734c6bf225e7c0d
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue Apr 27 14:15:19 2010 +0000
Fix harden-referral-path so it does not generate lookup failures.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index fbe3748..16a607c 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -456,6 +456,8 @@ path to the answer.
Default off, because it burdens the authority servers, and it is
not RFC standard, and could lead to performance problems because of the
extra query load that is generated. Experimental option.
+If you enable it consider adding more numbers after the target\-fetch\-policy
+to increase the max depth that is checked to.
.TP
.B use\-caps\-for\-id: \fI<yes or no>
Use 0x20\-encoded random bits in the query to foil spoof attempts.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 08354e8..19b9a26 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -695,12 +695,15 @@ static void
generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
int id)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct module_qstate* subq;
size_t i;
struct reply_info* rep = iq->response->rep;
struct ub_packed_rrset_key* s;
log_assert(iq->dp);
+ if(iq->depth == ie->max_dependency_depth)
+ return;
/* walk through additional, and check if in-zone,
* only relevant A, AAAA are left after scrub anyway */
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
@@ -746,9 +749,12 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
static void
generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
{
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
struct module_qstate* subq;
log_assert(iq->dp);
+ if(iq->depth == ie->max_dependency_depth)
+ return;
/* is this query the same as the nscheck? */
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&