selection_iter: relax NSNXAttack mitigation

Previously the mitigation would stop some longer benign resolutions.
We can safely zero the subquery counter when choose a concrete transport
for the query (i.e. NS name with known IP address).

diff --git a/lib/selection_iter.c b/lib/selection_iter.c
index 7596711cd7b99fbd7833e02cdb8f331150cd4002..61e1080df451042d555e8285e81485c9a532320f 100644 (file)
--- a/lib/selection_iter.c
+++ b/lib/selection_iter.c
@@ -277,8 +277,11 @@ void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport
                        /* We need to propagate this to flags since it's used in
                         * other parts of the resolver. */
                        qry->flags.TCP = true;
+               case KR_TRANSPORT_UDP: /* fall through */
+                       local_state->no_ns_addr_count = 0;
                        break;
                default:
+                       assert(0);
                        break;
                }
        }