Mark Andrews <marka@isc.org> writes:
The [func] below are bug fixes / security fixes.
Umh, using a very relaxed definition maybe... I was very happy to see this feature added in 9.9.8, and I can certainly agree that it is security related. But I hardly think it is suitable for the strict "no new features" policy that many stable distros enforce:
+3938. [func] Added quotas to be used in recursive resolvers + that are under high query load for names in zones + whose authoritative servers are nonresponsive or + are experiencing a denial of service attack. + + - "fetches-per-server" limits the number of + simultaneous queries that can be sent to any + single authoritative server. The configured + value is a starting point; it is automatically + adjusted downward if the server is partially or + completely non-responsive. The algorithm used to + adjust the quota can be configured via the + "fetch-quota-params" option. + - "fetches-per-zone" limits the number of + simultaneous queries that can be sent for names + within a single domain. (Note: Unlike + "fetches-per-server", this value is not + self-tuning.) + - New stats counters have been added to count + queries spilled due to these quotas. + + These options are not available by default; + use "configure --enable-fetchlimit" (or + --enable-developer) to include them in the build. + + See the ARM for details of these options. [RT #37125]
Yes, I know they could still upgrade to 9.9.8 without this particular feature, by simply not enabling it in the build. But the restricted feature set policy tends to be applied on a source level. Playing the devil's advocate here... As I said, I was really happy to see this feature in 9.9.8 myself. Bjørn