From: Štěpán Balážik <stepan.balazik@nic.cz>
Date: Wed, 20 Jan 2021 18:33:14 +0000 (+0100)
Subject: selection_iter: relax NSNXAttack mitigation
X-Git-Tag: v5.3.0~15^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73650cc12fa67a11e50c9e658b92eb42ad1ffbd9;p=thirdparty%2Fknot-resolver.git

selection_iter: relax NSNXAttack mitigation

Previously the mitigation would stop some longer benign resolutions.
We can safely zero the subquery counter when choose a concrete transport
for the query (i.e. NS name with known IP address).
---

diff --git a/lib/selection_iter.c b/lib/selection_iter.c
index 7596711cd..61e1080df 100644
--- a/lib/selection_iter.c
+++ b/lib/selection_iter.c
@@ -277,8 +277,11 @@ void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport
 			/* We need to propagate this to flags since it's used in
 			 * other parts of the resolver. */
 			qry->flags.TCP = true;
+		case KR_TRANSPORT_UDP: /* fall through */
+			local_state->no_ns_addr_count = 0;
 			break;
 		default:
+			assert(0);
 			break;
 		}
 	}