From 7213b038f0beb2f4750b858113af1f9e18ae0520 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 3 May 2026 22:00:39 -0700 Subject: [PATCH] Clear dns64_aaaaok immediately after use The DNS64 state information stored in client->query.dns64_aaaaok could cause an assertion failure in query_respond() if the server was configured in such a way as to trigger a new recursion before the query had been reset - for example, by using the filter-aaaa plugin, which may need to recurse to find out whether an A record exists. This has been addressed by clearing DNS64 state information immediately after the call to query_filter64(). --- bin/tests/system/filters/ns1/unsigned.db | 5 +++++ bin/tests/system/filters/ns4/unsigned.db | 5 +++++ bin/tests/system/filters/ns5/named.conf.j2 | 6 +++--- bin/tests/system/filters/tests_filter_dns64.py | 4 ++++ lib/ns/query.c | 4 ++++ 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/bin/tests/system/filters/ns1/unsigned.db b/bin/tests/system/filters/ns1/unsigned.db index 7631201071..02a6dfc34f 100644 --- a/bin/tests/system/filters/ns1/unsigned.db +++ b/bin/tests/system/filters/ns1/unsigned.db @@ -12,3 +12,8 @@ dual A 1.0.0.6 dual AAAA 2001:db8::6 mx A 1.0.0.3 mx AAAA 2001:db8::3 + +; one of these AAAA addresses is excluded in named.conf +excludeone A 1.0.0.6 +excludeone AAAA ::1 +excludeone AAAA 2001:db8::6 diff --git a/bin/tests/system/filters/ns4/unsigned.db b/bin/tests/system/filters/ns4/unsigned.db index c83c1d2df9..94f6299aa7 100644 --- a/bin/tests/system/filters/ns4/unsigned.db +++ b/bin/tests/system/filters/ns4/unsigned.db @@ -12,3 +12,8 @@ dual A 1.0.0.6 dual AAAA 2001:db8::6 mx A 1.0.0.3 mx AAAA 2001:db8::3 + +; one of these AAAA addresses is excluded in named.conf +excludeone A 1.0.0.6 +excludeone AAAA ::1 +excludeone AAAA 2001:db8::6 diff --git a/bin/tests/system/filters/ns5/named.conf.j2 b/bin/tests/system/filters/ns5/named.conf.j2 index 3ec78bd1a3..523e3aca44 100644 --- a/bin/tests/system/filters/ns5/named.conf.j2 +++ b/bin/tests/system/filters/ns5/named.conf.j2 @@ -10,9 +10,9 @@ options { dnssec-validation no; notify yes; dns64 64:ff9b::/96 { - clients { any; }; - exclude { any; }; - mapped { any; }; + clients { any; }; + exclude { ::1/128; }; + mapped { any; }; }; minimal-responses no; }; diff --git a/bin/tests/system/filters/tests_filter_dns64.py b/bin/tests/system/filters/tests_filter_dns64.py index dfa71b76c1..2f5409ddfd 100644 --- a/bin/tests/system/filters/tests_filter_dns64.py +++ b/bin/tests/system/filters/tests_filter_dns64.py @@ -25,3 +25,7 @@ def test_filter_dns64(): msg = isctest.query.create("aaaa-only.unsigned", "aaaa") res = isctest.query.tcp(msg, "10.53.0.5") isctest.check.noerror(res) + + msg = isctest.query.create("excludeone.unsigned", "aaaa") + res = isctest.query.tcp(msg, "10.53.0.5") + isctest.check.noerror(res) diff --git a/lib/ns/query.c b/lib/ns/query.c index 7b1ed3a015..fbb9e8213b 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -7940,6 +7940,10 @@ query_addanswer(query_ctx_t *qctx) { } else if (qctx->client->query.dns64_aaaaok != NULL) { query_filter64(qctx); ns_client_putrdataset(qctx->client, &qctx->rdataset); + isc_mem_cput(qctx->client->manager->mctx, + qctx->client->query.dns64_aaaaok, + qctx->client->query.dns64_aaaaoklen, sizeof(bool)); + qctx->client->query.dns64_aaaaoklen = 0; } else { if (!qctx->is_zone && RECURSIONOK(qctx->client)) { query_prefetch(qctx->client, qctx->fname,