From: Štěpán Balážik <stepan.balazik@nic.cz>
Date: Tue, 19 Jan 2021 15:08:22 +0000 (+0100)
Subject: resolve.c: trigger serve stale on NSNXAttack mitigation from kr_resolve_consume
X-Git-Tag: v5.3.0~15^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ffbf501b040437777e47b62c64dffe13fdf390a;p=thirdparty%2Fknot-resolver.git

resolve.c: trigger serve stale on NSNXAttack mitigation from kr_resolve_consume
---

diff --git a/lib/resolve.c b/lib/resolve.c
index 0d4d89c52..9d6be9b1e 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -832,6 +832,10 @@ int kr_resolve_consume(struct kr_request *request, struct kr_transport **transpo
 						"bail out (mitigation for NXNSAttack "
 						"CVE-2020-12667)\n");
 				}
+				if (!qry->flags.NO_NS_FOUND) {
+					qry->flags.NO_NS_FOUND = true;
+					return KR_STATE_PRODUCE;
+				}
 				return KR_STATE_FAIL;
 			}
 		} else {
@@ -1384,13 +1388,14 @@ int kr_resolve_produce(struct kr_request *request, struct kr_transport **transpo
 		if (qry->flags.NO_NS_FOUND) {
 			ITERATE_LAYERS(request, qry, reset);
 			kr_rplan_pop(rplan, qry);
+			return KR_STATE_FAIL;
 		} else {
 			/* FIXME: This is probably quite inefficient:
 			* we go through the whole qr_task_step loop just because of the serve_stale
 			* module which might not even be loaded. */
 			qry->flags.NO_NS_FOUND = true;
+			return KR_STATE_PRODUCE;
 		}
-		return KR_STATE_PRODUCE;
 	}
 
 	if ((*transport)->protocol == KR_TRANSPORT_RESOLVE_A || (*transport)->protocol == KR_TRANSPORT_RESOLVE_AAAA) {