resolve.c: trigger serve stale on NSNXAttack mitigation from kr_resolve_consume

diff --git a/lib/resolve.c b/lib/resolve.c
index 0d4d89c528587b3cf87f45623e8572cbb4c72193..9d6be9b1ee4b3185732fcff6bd460ee623dea570 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -832,6 +832,10 @@ int kr_resolve_consume(struct kr_request *request, struct kr_transport **transpo
                                                "bail out (mitigation for NXNSAttack "
                                                "CVE-2020-12667)\n");
                                }
+                               if (!qry->flags.NO_NS_FOUND) {
+                                       qry->flags.NO_NS_FOUND = true;
+                                       return KR_STATE_PRODUCE;
+                               }
                                return KR_STATE_FAIL;
                        }
                } else {
@@ -1384,13 +1388,14 @@ int kr_resolve_produce(struct kr_request *request, struct kr_transport **transpo
                if (qry->flags.NO_NS_FOUND) {
                        ITERATE_LAYERS(request, qry, reset);
                        kr_rplan_pop(rplan, qry);
+                       return KR_STATE_FAIL;
                } else {
                        /* FIXME: This is probably quite inefficient:
                        * we go through the whole qr_task_step loop just because of the serve_stale
                        * module which might not even be loaded. */
                        qry->flags.NO_NS_FOUND = true;
+                       return KR_STATE_PRODUCE;
                }
-               return KR_STATE_PRODUCE;
        }
 
        if ((*transport)->protocol == KR_TRANSPORT_RESOLVE_A || (*transport)->protocol == KR_TRANSPORT_RESOLVE_AAAA) {