From d09ffaacc52b9c567ebaa8046356a15ab04d8915 Mon Sep 17 00:00:00 2001
From: =?utf8?q?=C5=A0t=C4=9Bp=C3=A1n=20Bal=C3=A1=C5=BEik?=
 <stepan.balazik@nic.cz>
Date: Fri, 6 Nov 2020 12:23:11 +0100
Subject: [PATCH] selection: further NSNXAttack mitigation and fix tests

---
 lib/layer/test.integr/iter_cname_length.rpl       |  1 +
 lib/layer/test.integr/iter_limit_bad_glueless.rpl |  1 +
 lib/layer/test.integr/iter_limit_refuse.rpl       |  3 ++-
 lib/layer/test.integr/kresd_config.j2             | 12 ++++++++++++
 lib/resolve.c                                     |  1 -
 lib/selection_iter.c                              | 15 ++++++++++++---
 6 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/lib/layer/test.integr/iter_cname_length.rpl b/lib/layer/test.integr/iter_cname_length.rpl
index 10206b6e8..39f48a88c 100644
--- a/lib/layer/test.integr/iter_cname_length.rpl
+++ b/lib/layer/test.integr/iter_cname_length.rpl
@@ -1,3 +1,4 @@
+do-ip6: no
 ; config options
 ; SPDX-License-Identifier: GPL-3.0-or-later
 	stub-addr: 193.0.14.129 	# k.root-servers.net.
diff --git a/lib/layer/test.integr/iter_limit_bad_glueless.rpl b/lib/layer/test.integr/iter_limit_bad_glueless.rpl
index fdd728504..73d462735 100644
--- a/lib/layer/test.integr/iter_limit_bad_glueless.rpl
+++ b/lib/layer/test.integr/iter_limit_bad_glueless.rpl
@@ -1,3 +1,4 @@
+do-ip6: no
 ; config options
 ;	target-fetch-policy: "0 0 0 0 0"
 ;	name: "."
diff --git a/lib/layer/test.integr/iter_limit_refuse.rpl b/lib/layer/test.integr/iter_limit_refuse.rpl
index 5641be34b..285b5afbf 100644
--- a/lib/layer/test.integr/iter_limit_refuse.rpl
+++ b/lib/layer/test.integr/iter_limit_refuse.rpl
@@ -1,3 +1,4 @@
+do-ip6: no
 ; config options
 ;server:
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
@@ -7,7 +8,7 @@ SCENARIO_BEGIN Outrageous number of auth servers return REFUSED. Simulates NXNSA
 
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
+	ADDRESS 193.0.14.129
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
diff --git a/lib/layer/test.integr/kresd_config.j2 b/lib/layer/test.integr/kresd_config.j2
index 7ae66b941..57db6e1bf 100644
--- a/lib/layer/test.integr/kresd_config.j2
+++ b/lib/layer/test.integr/kresd_config.j2
@@ -67,6 +67,18 @@ policy.add(policy.all(policy.DEBUG_ALWAYS))
 
 net = { '{{SELF_ADDR}}' }
 
+{% if DO_IP6 == "true" %}
+net.ipv6 = true
+{% else %}
+net.ipv6 = false
+{% endif %}
+
+{% if DO_IP4 == "true" %}
+net.ipv4 = true
+{% else %}
+net.ipv4 = false
+{% endif %}
+
 
 {% if QMIN == "false" %}
 option('NO_MINIMIZE', true)
diff --git a/lib/resolve.c b/lib/resolve.c
index 7824ac8f3..a3e3270f0 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -800,7 +800,6 @@ int kr_resolve_consume(struct kr_request *request, struct kr_transport **transpo
 		qry->flags.RESOLVED = false;
 	}
 
-	/* For multiple errors in a row; invalidate_ns() is not enough. */
 	if (!qry->flags.CACHED) {
 		if (request->state & KR_STATE_FAIL) {
 			if (++request->count_fail_row > KR_CONSUME_FAIL_ROW_LIMIT) {
diff --git a/lib/selection_iter.c b/lib/selection_iter.c
index 76ef959ac..9a3efc542 100644
--- a/lib/selection_iter.c
+++ b/lib/selection_iter.c
@@ -18,6 +18,7 @@ struct iter_local_state {
 	trie_t *addresses;
 	unsigned int generation; // Used to distinguish old and valid records in tries
 	enum kr_selection_error last_error;
+	unsigned int no_ns_addr_count;
 };
 
 enum record_state {
@@ -255,6 +256,15 @@ void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport
 		}
 	}
 
+	bool nxnsattack_mitigation = false;
+	enum kr_transport_protocol proto = *transport ? (*transport)->protocol : -1;
+	if (proto == KR_TRANSPORT_RESOLVE_A || proto == KR_TRANSPORT_RESOLVE_AAAA) {
+		if (++local_state->no_ns_addr_count > KR_COUNT_NO_NSADDR_LIMIT) {
+			*transport = NULL;
+			nxnsattack_mitigation = true;
+		}
+	}
+
 	update_name_state(*transport, local_state->names);
 
 	WITH_VERBOSE(qry) {
@@ -262,7 +272,6 @@ void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport
 		if (*transport) {
 			KR_DNAME_GET_STR(ns_name, (*transport)->name);
 			const char *ns_str = kr_straddr(&(*transport)->address.ip);
-			enum kr_transport_protocol proto = (*transport)->protocol;
 			if (proto != KR_TRANSPORT_RESOLVE_A && proto != KR_TRANSPORT_RESOLVE_AAAA) {
 				VERBOSE_MSG(qry,
 				"=> id: '%05u' choosing: '%s'@'%s' with timeout %u ms zone cut: '%s'%s\n",
@@ -275,8 +284,8 @@ void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport
 			}
 		} else {
 			 VERBOSE_MSG(qry,
-			"=> id: '%05u' no suitable transport, zone cut: '%s'\n",
-			qry->id, zonecut_str);
+			"=> id: '%05u' no suitable transport, zone cut: '%s'%s\n",
+			qry->id, zonecut_str, nxnsattack_mitigation ? " (stopped due to mitigation for NXNSAttack CVE-2020-12667)" : "");
 		}
 	}
 }
-- 
2.47.2