mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-02-03 12:19:27 -05:00
- For #1247, turn off fetch-policy for delegation when looking into
parent side name servers that may not update the addresses and hit NXNS limits.
This commit is contained in:
Yorgos Thessalonikefs
parent
ca153f4657
commit
e2814fe165
3 changed files with 16 additions and 1 deletions
|
|
@ -1,5 +1,8 @@
|
|||
25 June 2025: Yorgos
|
||||
- Fix #1247: forward-first: ssl handshake failed on root nameservers.
|
||||
- For #1247, turn off fetch-policy for delegation when looking into
|
||||
parent side name servers that may not update the addresses and hit
|
||||
NXNS limits.
|
||||
|
||||
20 June 2025: Yorgos
|
||||
- Fix #1293: EDE 6 is attached to insecure cached answers when client
|
||||
|
|
|
|||
|
|
@ -79,6 +79,16 @@ struct delegpt {
|
|||
* Also true if the delegationpoint was created from a delegation
|
||||
* message and thus contains the parent-side-info already. */
|
||||
uint8_t has_parent_side_NS;
|
||||
/** if true, the delegation point has reached last resort processing
|
||||
* and the parent side information has been possibly added to the
|
||||
* delegation point.
|
||||
* For now this singals that further target lookups will ignore
|
||||
* the configured target-fetch-policy and only resolve on
|
||||
* demand to try and avoid triggering limits at this stage (.i.e, it
|
||||
* is very likely that the A/AAAA queries for the newly added name
|
||||
* servers will not yield new IP addresses and trigger NXNS
|
||||
* countermeasures. */
|
||||
uint8_t fallback_to_parent_side_NS;
|
||||
/** for assertions on type of delegpt */
|
||||
uint8_t dp_type_mlc;
|
||||
/** use SSL for upstream query */
|
||||
|
|
|
|||
|
|
@ -2152,6 +2152,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
|
||||
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
|
||||
}
|
||||
iq->dp->fallback_to_parent_side_NS = 1;
|
||||
if(qstate->env->cfg->harden_unverified_glue) {
|
||||
if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
|
||||
qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE))
|
||||
|
|
@ -2772,7 +2773,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||
}
|
||||
/* if the mesh query list is full, then do not waste cpu and sockets to
|
||||
* fetch promiscuous targets. They can be looked up when needed. */
|
||||
if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) {
|
||||
if(!iq->dp->fallback_to_parent_side_NS && can_do_promisc
|
||||
&& !mesh_jostle_exceeded(qstate->env->mesh)) {
|
||||
tf_policy = ie->target_fetch_policy[iq->depth];
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue