upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 15:09:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Return SERVFAIL for a too long CNAME chain

Browse source 
Due to the maximum query restart limitation a long CNAME chain
it is cut after 16 queries but named still returns NOERROR.

Return SERVFAIL instead and the partial answer.

(cherry picked from commit b621f1d88e)
This commit is contained in:
Aram Sargsyan 2024-06-06 12:06:59 +00:00 committed by Arаm Sаrgsyаn
parent c63b7fad49
commit 2b3ce5e514
1 changed files with 36 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
lib/ns/query.c
View file

@ -11546,7 +11546,7 @@ isc_result_t
ns_query_done(query_ctx_t *qctx) {
isc_result_t result = ISC_R_UNSET;
const dns_namelist_t *secs = qctx->client->message->sections;
bool nodetach;
bool nodetach, partial_result_with_servfail = false;
CCTRACE(ISC_LOG_DEBUG(3), "ns_query_done");
@ -11580,21 +11580,44 @@ ns_query_done(query_ctx_t *qctx) {
/*
* Do we need to restart the query (e.g. for CNAME chaining)?
*/
if (qctx->want_restart && qctx->client->query.restarts < MAX_RESTARTS) {
query_ctx_t *saved_qctx = NULL;
qctx->client->query.restarts++;
saved_qctx = isc_mem_get(qctx->client->manager->mctx,
sizeof(*saved_qctx));
qctx_save(qctx, saved_qctx);
isc_nmhandle_attach(qctx->client->handle,
&qctx->client->restarthandle);
isc_async_run(qctx->client->manager->loop, async_restart,
saved_qctx);
return (DNS_R_CONTINUE);
if (qctx->want_restart) {
if (qctx->client->query.restarts < MAX_RESTARTS) {
query_ctx_t *saved_qctx = NULL;
qctx->client->query.restarts++;
saved_qctx = isc_mem_get(qctx->client->manager->mctx,
sizeof(*saved_qctx));
qctx_save(qctx, saved_qctx);
isc_nmhandle_attach(qctx->client->handle,
&qctx->client->restarthandle);
isc_async_run(qctx->client->manager->loop,
async_restart, saved_qctx);
return (DNS_R_CONTINUE);
} else {
/*
* This is e.g. a long CNAME chain which we cut short.
*/
qctx->client->query.attributes |=
NS_QUERYATTR_PARTIALANSWER;
qctx->client->message->rcode = dns_rcode_servfail;
qctx->result = DNS_R_SERVFAIL;
/*
* Send the answer back with a SERVFAIL result even
* if recursion was requested.
*/
partial_result_with_servfail = true;
ns_client_extendederror(qctx->client, 0,
"max. restarts reached");
ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT,
NS_LOGMODULE_QUERY, ISC_LOG_INFO,
"query iterations limit reached");
}
}
if (qctx->result != ISC_R_SUCCESS &&
(!PARTIALANSWER(qctx->client) || WANTRECURSION(qctx->client) ||
(!PARTIALANSWER(qctx->client) ||
(WANTRECURSION(qctx->client) && !partial_result_with_servfail) ||
qctx->result == DNS_R_DROP))
{
if (qctx->result == DNS_R_DUPLICATE ||