selection: further NSNXAttack mitigation and fix tests

diff --git a/lib/layer/test.integr/iter_cname_length.rpl b/lib/layer/test.integr/iter_cname_length.rpl
index 10206b6e8d43b4832848b77cd814781726800f1b..39f48a88c17f0109523d3c1092981a4f4ecad6dc 100644 (file)
--- a/lib/layer/test.integr/iter_cname_length.rpl
+++ b/lib/layer/test.integr/iter_cname_length.rpl
@@ -1,3 +1,4 @@
+do-ip6: no
 ; config options
 ; SPDX-License-Identifier: GPL-3.0-or-later
        stub-addr: 193.0.14.129         # k.root-servers.net.

diff --git a/lib/layer/test.integr/iter_limit_bad_glueless.rpl b/lib/layer/test.integr/iter_limit_bad_glueless.rpl
index fdd72850422c6c2f96deb30bc78f940e18e57368..73d46273543d29d912757539003c22e3f790f9aa 100644 (file)
--- a/lib/layer/test.integr/iter_limit_bad_glueless.rpl
+++ b/lib/layer/test.integr/iter_limit_bad_glueless.rpl
@@ -1,3 +1,4 @@
+do-ip6: no
 ; config options
 ;      target-fetch-policy: "0 0 0 0 0"
 ;      name: "."

diff --git a/lib/layer/test.integr/iter_limit_refuse.rpl b/lib/layer/test.integr/iter_limit_refuse.rpl
index 5641be34b42c09ab3adc239a8a66c2c1c96b8d3f..285b5afbfd0ae93b9e6fcdd712823f171f6d6d85 100644 (file)
--- a/lib/layer/test.integr/iter_limit_refuse.rpl
+++ b/lib/layer/test.integr/iter_limit_refuse.rpl
@@ -1,3 +1,4 @@
+do-ip6: no
 ; config options
 ;server:
        stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
@@ -7,7 +8,7 @@ SCENARIO_BEGIN Outrageous number of auth servers return REFUSED. Simulates NXNSA
 
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
-       ADDRESS 193.0.14.129 
+       ADDRESS 193.0.14.129
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id

diff --git a/lib/layer/test.integr/kresd_config.j2 b/lib/layer/test.integr/kresd_config.j2
index 7ae66b941bb01db582898fe85f71683eb6bf0343..57db6e1bfdaf6caaaf398ab70ed5799e19831ecd 100644 (file)
--- a/lib/layer/test.integr/kresd_config.j2
+++ b/lib/layer/test.integr/kresd_config.j2
@@ -67,6 +67,18 @@ policy.add(policy.all(policy.DEBUG_ALWAYS))
 
 net = { '{{SELF_ADDR}}' }
 
+{% if DO_IP6 == "true" %}
+net.ipv6 = true
+{% else %}
+net.ipv6 = false
+{% endif %}
+
+{% if DO_IP4 == "true" %}
+net.ipv4 = true
+{% else %}
+net.ipv4 = false
+{% endif %}
+
 
 {% if QMIN == "false" %}
 option('NO_MINIMIZE', true)

diff --git a/lib/resolve.c b/lib/resolve.c
index 7824ac8f344690d370486feffcaae13006383f71..a3e3270f00b9c57e8b830d1882ee926466628a66 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -800,7 +800,6 @@ int kr_resolve_consume(struct kr_request *request, struct kr_transport **transpo
                qry->flags.RESOLVED = false;
        }
 
-       /* For multiple errors in a row; invalidate_ns() is not enough. */
        if (!qry->flags.CACHED) {
                if (request->state & KR_STATE_FAIL) {
                        if (++request->count_fail_row > KR_CONSUME_FAIL_ROW_LIMIT) {

diff --git a/lib/selection_iter.c b/lib/selection_iter.c
index 76ef959ac485b07687ef80f70ca8e8ea05247147..9a3efc54218b72658896ed81729f56d1429603d1 100644 (file)
--- a/lib/selection_iter.c
+++ b/lib/selection_iter.c
@@ -18,6 +18,7 @@ struct iter_local_state {
        trie_t *addresses;
        unsigned int generation; // Used to distinguish old and valid records in tries
        enum kr_selection_error last_error;
+       unsigned int no_ns_addr_count;
 };
 
 enum record_state {
@@ -255,6 +256,15 @@ void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport
                }
        }
 
+       bool nxnsattack_mitigation = false;
+       enum kr_transport_protocol proto = *transport ? (*transport)->protocol : -1;
+       if (proto == KR_TRANSPORT_RESOLVE_A || proto == KR_TRANSPORT_RESOLVE_AAAA) {
+               if (++local_state->no_ns_addr_count > KR_COUNT_NO_NSADDR_LIMIT) {
+                       *transport = NULL;
+                       nxnsattack_mitigation = true;
+               }
+       }
+
        update_name_state(*transport, local_state->names);
 
        WITH_VERBOSE(qry) {
@@ -262,7 +272,6 @@ void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport
                if (*transport) {
                        KR_DNAME_GET_STR(ns_name, (*transport)->name);
                        const char *ns_str = kr_straddr(&(*transport)->address.ip);
-                       enum kr_transport_protocol proto = (*transport)->protocol;
                        if (proto != KR_TRANSPORT_RESOLVE_A && proto != KR_TRANSPORT_RESOLVE_AAAA) {
                                VERBOSE_MSG(qry,
                                "=> id: '%05u' choosing: '%s'@'%s' with timeout %u ms zone cut: '%s'%s\n",
@@ -275,8 +284,8 @@ void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport
                        }
                } else {
                         VERBOSE_MSG(qry,
-                       "=> id: '%05u' no suitable transport, zone cut: '%s'\n",
-                       qry->id, zonecut_str);
+                       "=> id: '%05u' no suitable transport, zone cut: '%s'%s\n",
+                       qry->id, zonecut_str, nxnsattack_mitigation ? " (stopped due to mitigation for NXNSAttack CVE-2020-12667)" : "");
                }
        }
 }