- Fix that with harden-below-nxdomain and qname minisation enabled

some iterator states for nonresponsive domains can get into a
  state where they waited for an empty list.
- Stop UDP to TCP failover after timeouts that causes the ping count
  to be reset by the TCP time measurement (that exists for TLS),
  because that causes the UDP part to not be measured as timeout.


git-svn-id: file:///svn/unbound/trunk@4912 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -3,6 +3,12 @@
 	  does not have it.
 	- Fix unbound for openssl in FIPS mode, it uses the digests with
 	  the EVP call contexts.
+	- Fix that with harden-below-nxdomain and qname minisation enabled
+	  some iterator states for nonresponsive domains can get into a
+	  state where they waited for an empty list.
+	- Stop UDP to TCP failover after timeouts that causes the ping count
+	  to be reset by the TCP time measurement (that exists for TLS),
+	  because that causes the UDP part to not be measured as timeout.
 
 13 September 2018: Wouter
 	- Fix seed for random backup code to use explicit zero when wiped.

iterator/iterator.c

@@ -2752,6 +2752,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 						verbose(VERB_ALGO,
 						"could not validate NXDOMAIN "
 						"response");
+					outbound_list_clear(&iq->outlist);
+					iq->num_current_queries = 0;
+					fptr_ok(fptr_whitelist_modenv_detach_subs(
+						qstate->env->detach_subs));
+					(*qstate->env->detach_subs)(qstate);
+					iq->num_target_queries = 0;
 				}
 			}
 			return next_state(iq, QUERYTARGETS_STATE);

services/outside_network.c

@@ -1979,7 +1979,7 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
 			return 0;
 		}
 		if(rto >= RTT_MAX_TIMEOUT) {
-			fallback_tcp = 1;
+			/* fallback_tcp = 1; */
 			/* UDP does not work, fallback to TCP below */
 		} else {
 			serviced_callbacks(sq, NETEVENT_TIMEOUT, c, rep);