From bc1d177cc2e82f18a77985c518e169f0e37d88c7 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 Mar 2026 08:37:34 +0100
Subject: [PATCH] Fast fail a validator deadlock

We return DNS_R_NOVALIDSIG if we detected a deadlock. Then in
'validate_async_done()', this result value is used to check if we
need to fall back to insecure. As part of that we create a new fetch
but that fails because of the detected deadlock. This results in a loop
of deadlock detected, fallback to insecure, deadlock detected, ...

Add a new result value, ISC_R_DEADLOCK, and return this instead when
we have detected a deadlock. This will be treated as a generic error,
as there is no special handling for this result value.
---
 lib/dns/validator.c          | 4 ++--
 lib/isc/include/isc/result.h | 1 +
 lib/isc/result.c             | 1 +
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index de0765b8c2..400143f79e 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -972,7 +972,7 @@ create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	if (check_deadlock(val, name, type, NULL, NULL)) {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "deadlock found (create_fetch)");
-		return DNS_R_NOVALIDSIG;
+		return ISC_R_DEADLOCK;
 	}
 
 	if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0) {
@@ -1016,7 +1016,7 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	if (check_deadlock(val, name, type, rdataset, sig)) {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "deadlock found (create_validator)");
-		return DNS_R_NOVALIDSIG;
+		return ISC_R_DEADLOCK;
 	}
 
 	/* OK to clear other options, but preserve NOCDFLAG and NONTA. */
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 3c5d6a75d7..05dffd50b9 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -85,6 +85,7 @@ typedef enum isc_result {
 	ISC_R_HTTP2ALPNERROR,	/*%< ALPN for HTTP/2 failed */
 	ISC_R_DOTALPNERROR,	/*%< ALPN for DoT failed */
 	ISC_R_INVALIDPROTO,	/*%< invalid protocol */
+	ISC_R_DEADLOCK,		/*%< deadlock found */
 
 	DNS_R_LABELTOOLONG,
 	DNS_R_BADESCAPE,
diff --git a/lib/isc/result.c b/lib/isc/result.c
index f362d812f7..1d00a34b53 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -88,6 +88,7 @@ static const char *description[ISC_R_NRESULTS] = {
 	[ISC_R_HTTP2ALPNERROR] = "ALPN for HTTP/2 failed",
 	[ISC_R_DOTALPNERROR] = "ALPN for DoT failed",
 	[ISC_R_INVALIDPROTO] = "invalid protocol",
+	[ISC_R_DEADLOCK] = "deadlock found",
 
 	[DNS_R_LABELTOOLONG] = "label too long",
 	[DNS_R_BADESCAPE] = "bad escape",