diff --git a/CHANGES b/CHANGES index 2d4b790360..b8822805d4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752] + 6052. [func] Replace DNS over TCP and DNS over TLS transports code with a new, unified transport implementation. [GL #3374] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index ab6c3d0f9b..89ea907102 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -55,6 +55,11 @@ Bug Fixes - Fix a rare assertion failure in the outgoing TCP DNS connection handling. :gl:`#3178` :gl:`#3636` +- In addition to a previously fixed bug, another similar issue was discovered + where quotas could be erroneously reached for servers, including any + configured forwarders, resulting in SERVFAIL answers being sent to clients. + This has been fixed. :gl:`#3752` + Known Issues ~~~~~~~~~~~~ diff --git a/lib/dns/adb.c b/lib/dns/adb.c index d096c6185d..523f5709d4 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -1173,11 +1173,15 @@ destroy_adbentry(dns_adbentry_t *entry) { dns_adblameinfo_t *li = NULL; dns_adb_t *adb = entry->adb; + uint_fast32_t active; entry->magic = 0; INSIST(ISC_LIST_EMPTY(entry->nhs)); + active = atomic_load_acquire(&entry->active); + INSIST(active == 0); + if (entry->cookie != NULL) { isc_mem_put(adb->mctx, entry->cookie, entry->cookielen); } diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 99ad350afe..f5da36305a 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -2660,7 +2660,16 @@ resquery_send(resquery_t *query) { hint = dns_adb_getudpsize(fctx->adb, query->addrinfo); } else if (tried->count >= 2U) { - query->options |= DNS_FETCHOPT_TCP; + if ((query->options & DNS_FETCHOPT_TCP) == 0) { + /* + * Inform the ADB that we're ending a + * UDP fetch, and turn the query into + * a TCP query. + */ + dns_adb_endudpfetch(fctx->adb, + query->addrinfo); + query->options |= DNS_FETCHOPT_TCP; + } } } }