- Fix to stop responses with TC flag from resulting in partial

  responses. It retries to fetch the data elsewhere, or fails the
  query and in depth fix removes the TC flag from the cached item.

diff --git a/doc/Changelog b/doc/Changelog
index 20d3c05c9254a17304e16c0f47369be8f454313c..61a10f9a55b8458794a1d5fc1bcd256a4fc2034b 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+6 October 2022: Wouter
+       - Fix to stop responses with TC flag from resulting in partial
+         responses. It retries to fetch the data elsewhere, or fails the
+         query and in depth fix removes the TC flag from the cached item.
+
 5 October 2022: Wouter
        - Fix dnscrypt compile for proxy protocol code changes.
 

diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c
index f146a2b6bfe8f19bb369ccb90691fadd780c5b17..c2b824a0f9b81607ab098479ae801b1bb387dfe4 100644 (file)
--- a/iterator/iter_resptype.c
+++ b/iterator/iter_resptype.c
@@ -113,7 +113,11 @@ response_type_from_server(int rdset,
 
        if(!msg || !request)
                return RESPONSE_TYPE_THROWAWAY;
-       
+       /* If the TC flag is set, the response is incomplete. Too large to
+        * fit even in TCP or so. Discard it, it cannot be retrieved here. */
+       if((msg->rep->flags & BIT_TC))
+               return RESPONSE_TYPE_THROWAWAY;
+
        /* If the message is NXDOMAIN, then it answers the question. */
        if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN) {
                /* make sure its not recursive when we don't want it to */

diff --git a/iterator/iterator.c b/iterator/iterator.c
index 2d676b1df85efb938de4a04178090831be266b49..2f3ad06fe6ea44cf48abf19a1332ceb70d5b1a77 100644 (file)
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2907,6 +2907,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
                (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
                iq->response, &iq->qinfo_out, iq->dp);
        iq->chase_to_rd = 0;
+       /* remove TC flag, if this is erroneously set by TCP upstream */
+       iq->response->rep->flags &= ~BIT_TC;
        if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
                !iq->auth_zone_response) {
                /* When forwarding (RD bit is set), we handle referrals 
@@ -4027,8 +4029,6 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 
        /* remove CD-bit, we asked for in case we handle validation ourself */
        prs->flags &= ~BIT_CD;
-       /* remove TC flag, if this is erroneously set by TCP upstream */
-       prs->flags &= ~BIT_TC;
 
        /* normalize and sanitize: easy to delete items from linked lists */
        if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name, 

diff --git a/testdata/iter_auth_tc.rpl b/testdata/iter_auth_tc.rpl
index 2136ca8b0c782c0bc283694b4919c9bee4bed8bd..4178077249bdd139bd0e74afe8dc9922156e3876 100644 (file)
--- a/testdata/iter_auth_tc.rpl
+++ b/testdata/iter_auth_tc.rpl
@@ -55,11 +55,11 @@ a.gtld-servers.net. IN      A       192.5.6.30
 ENTRY_END
 
 ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
+MATCH opcode subdomain
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN NS
 SECTION AUTHORITY
 example.com.   IN NS   ns.example.com.
 SECTION ADDITIONAL
@@ -82,6 +82,27 @@ SECTION ADDITIONAL
 ns.example.com.                IN      A       1.2.3.4
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+example.com.   IN NS   ns.example.com.
+ENTRY_END
+
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@@ -109,15 +130,9 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA NOERROR
+REPLY QR RD RA SERVFAIL
 SECTION QUESTION
 www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A  10.20.30.40
-SECTION AUTHORITY
-example.com.   IN NS   ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.                IN      A       1.2.3.4
 ENTRY_END
 
 SCENARIO_END

diff --git a/testdata/stub_auth_tc.tdir/stub_auth_tc.test b/testdata/stub_auth_tc.tdir/stub_auth_tc.test
index 2d3df5365e571796eb37d99113857f84ba491a0f..7b7440274a6027f27997da2e4c560cd8495d5808 100644 (file)
--- a/testdata/stub_auth_tc.tdir/stub_auth_tc.test
+++ b/testdata/stub_auth_tc.tdir/stub_auth_tc.test
@@ -12,7 +12,7 @@ echo "> cat logfiles"
 cat fwd.log
 cat unbound.log
 echo "> check answer"
-if grep "10.20.30.42" outfile; then
+if grep "SERVFAIL" outfile; then
        echo "OK"
 else
        echo "Not OK"