From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Fri, 9 Aug 2019 10:05:51 +0000 (+0200)
Subject: rebinding: change/fix when triggered inside sub-query
X-Git-Tag: v4.2.1~10^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26bcd8c1576f95b6d78bfb97acb9facea3e03ea8;p=thirdparty%2Fknot-resolver.git

rebinding: change/fix when triggered inside sub-query

This avoids getting into an inconsistent state of the request (assert),
and it also allows some real-life cases to succeed without using
a forbidden address in any way (even though they *are* weird).

I can still imagine weird setups where a request gets failed even
though it would be resolvable without *using* a forbidden address,
but none of these seem reasonable anyway (or common in practice).
---

diff --git a/modules/rebinding/rebinding.lua b/modules/rebinding/rebinding.lua
index 25f92c9a4..83020d606 100644
--- a/modules/rebinding/rebinding.lua
+++ b/modules/rebinding/rebinding.lua
@@ -104,7 +104,14 @@ function M.layer.consume(state, req, pkt)
 
 	qry.flags.RESOLVED = 1  -- stop iteration
 	qry.flags.CACHED = 1  -- do not cache
-	refuse(req)
+
+	--[[ In case we're in a sub-query, we do not touch the final req answer.
+		Only this sub-query will get finished without a result - there we
+		rely on the iterator reacting to flags.RESOLVED
+		Typical example: NS address resolution -> only this NS won't be used
+		but others may still be OK (or we SERVFAIL due to no NS being usable).
+	--]]
+	if qry.parent == nil then refuse(req) end
 	if verbose() then
 		ffi.C.kr_log_qverbose_impl(qry, 'rebinding',
 		    'blocking blacklisted IP in RR \'%s\' received from IP %s\n',