upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 12:20:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fail promptly on an RRSIG answer with no usable record

Browse source 
A query for an RRSIG is handled as a subset of ANY, so rctx_answer_any()
filters out records that do not match the queried type. When every
record was filtered out (an answer carrying only unrelated types), the
function still returned success with nothing cached, and the fetch then
waited for a validator that was never started until the backstop fetch
timer fired ~12s later. Treat an all-filtered answer as a broken
response, matching how non-meta types already reject a reply with no
usable record.
This commit is contained in:
Ondřej Surý 2026-05-29 17:43:54 +02:00
parent d0c6219d66
commit 938b58a809
No known key found for this signature in database
GPG key ID: 2820F37E873DEA41
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
lib/dns/resolver.c
View file

@ -8781,6 +8781,19 @@ rctx_answer_any(respctx_t *rctx) {
rdataset->trust = rctx->trust;
}
/*
* An RRSIG query is handled as a subset of ANY; if every record in
* the answer was filtered out above, nothing was marked cacheable,
* so there is nothing to cache, validate, or chase. Treat that as a
* broken answer instead of returning success with no answer, which
* would leave the fetch waiting for a validator that is never
* started.
*/
if (!rctx->aname->attributes.cache) {
rctx->result = DNS_R_FORMERR;
return ISC_R_COMPLETE;
}
return ISC_R_SUCCESS;
}