diff --git a/doc/Changelog b/doc/Changelog index 20d3c05c9..61a10f9a5 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +6 October 2022: Wouter + - Fix to stop responses with TC flag from resulting in partial + responses. It retries to fetch the data elsewhere, or fails the + query and in depth fix removes the TC flag from the cached item. + 5 October 2022: Wouter - Fix dnscrypt compile for proxy protocol code changes. diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c index f146a2b6b..c2b824a0f 100644 --- a/iterator/iter_resptype.c +++ b/iterator/iter_resptype.c @@ -113,7 +113,11 @@ response_type_from_server(int rdset, if(!msg || !request) return RESPONSE_TYPE_THROWAWAY; - + /* If the TC flag is set, the response is incomplete. Too large to + * fit even in TCP or so. Discard it, it cannot be retrieved here. */ + if((msg->rep->flags & BIT_TC)) + return RESPONSE_TYPE_THROWAWAY; + /* If the message is NXDOMAIN, then it answers the question. */ if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN) { /* make sure its not recursive when we don't want it to */ diff --git a/iterator/iterator.c b/iterator/iterator.c index 2d676b1df..2f3ad06fe 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -2907,6 +2907,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), iq->response, &iq->qinfo_out, iq->dp); iq->chase_to_rd = 0; + /* remove TC flag, if this is erroneously set by TCP upstream */ + iq->response->rep->flags &= ~BIT_TC; if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && !iq->auth_zone_response) { /* When forwarding (RD bit is set), we handle referrals @@ -4027,8 +4029,6 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, /* remove CD-bit, we asked for in case we handle validation ourself */ prs->flags &= ~BIT_CD; - /* remove TC flag, if this is erroneously set by TCP upstream */ - prs->flags &= ~BIT_TC; /* normalize and sanitize: easy to delete items from linked lists */ if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name, diff --git a/testdata/iter_auth_tc.rpl b/testdata/iter_auth_tc.rpl index 2136ca8b0..417807724 100644 --- a/testdata/iter_auth_tc.rpl +++ b/testdata/iter_auth_tc.rpl @@ -55,11 +55,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN NS SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -82,6 +82,27 @@ SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -109,15 +130,9 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA NOERROR +REPLY QR RD RA SERVFAIL SECTION QUESTION www.example.com. IN A -SECTION ANSWER -www.example.com. IN A 10.20.30.40 -SECTION AUTHORITY -example.com. IN NS ns.example.com. -SECTION ADDITIONAL -ns.example.com. IN A 1.2.3.4 ENTRY_END SCENARIO_END diff --git a/testdata/stub_auth_tc.tdir/stub_auth_tc.test b/testdata/stub_auth_tc.tdir/stub_auth_tc.test index 2d3df5365..7b7440274 100644 --- a/testdata/stub_auth_tc.tdir/stub_auth_tc.test +++ b/testdata/stub_auth_tc.tdir/stub_auth_tc.test @@ -12,7 +12,7 @@ echo "> cat logfiles" cat fwd.log cat unbound.log echo "> check answer" -if grep "10.20.30.42" outfile; then +if grep "SERVFAIL" outfile; then echo "OK" else echo "Not OK"