From eda8eb639c42309cfb1ebd3690cce52f4e546c8e Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Sat, 25 May 2024 10:56:23 +0200
Subject: [PATCH] supply on-wire error code for NSEC3 iteration limit

https://www.rfc-editor.org/rfc/rfc9276.html#section-6

$ kdig rezervujstul.cz NULL
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 17221
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; EDE: 27 (Unsupported NSEC3 Iterations Value): '5JBS'
[...]
---
 NEWS                 | 2 ++
 lib/layer/validate.c | 1 +
 lib/resolve.c        | 1 +
 lib/resolve.h        | 4 ++++
 4 files changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index dca743864..1c57aa750 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ Knot Resolver 5.7.3 (2024-0m-dd)
 Improvements
 ------------
 - stats: add separate metrics for IPv6 and IPv4 (!1544)
+- supply on-wire error code for NSEC3 iteration limit (!1547)
+
 
 Knot Resolver 5.7.2 (2024-03-27)
 ================================
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index af20b2e45..660b9171b 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -141,6 +141,7 @@ do_downgrade: // we do this deep inside calls because of having signer name avai
 	qry->flags.DNSSEC_INSECURE = true;
 	rank_records(qry, true, KR_RANK_INSECURE, vctx->zone_name);
 	mark_insecure_parents(qry);
+	kr_request_set_extended_error(qry->request, KNOT_EDNS_EDE_NSEC3_ITERS, "5JBS");
 	return true;
 }
 
diff --git a/lib/resolve.c b/lib/resolve.c
index d8198c34b..cda1d684e 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -1687,6 +1687,7 @@ static int ede_priority(int info_code)
 	case KNOT_EDNS_EDE_NREACH_AUTH:
 	case KNOT_EDNS_EDE_NETWORK:
 	case KNOT_EDNS_EDE_INV_DATA:
+	case KNOT_EDNS_EDE_NSEC3_ITERS:
 		return 200;  /* Assorted codes */
 	case KNOT_EDNS_EDE_OTHER:
 		return 100;  /* Most generic catch-all error */
diff --git a/lib/resolve.h b/lib/resolve.h
index a2d5ec9db..28b719de8 100644
--- a/lib/resolve.h
+++ b/lib/resolve.h
@@ -410,6 +410,10 @@ knot_mm_t *kr_resolve_pool(struct kr_request *request);
 KR_EXPORT
 int kr_request_set_extended_error(struct kr_request *request, int info_code, const char *extra_text);
 
+#if KNOT_VERSION_HEX < 0x030200
+	enum { KNOT_EDNS_EDE_NSEC3_ITERS = 27 };
+#endif
+
 static inline void kr_query_inform_timeout(struct kr_request *req, const struct kr_query *qry)
 {
 	kr_request_set_extended_error(req, KNOT_EDNS_EDE_NREACH_AUTH, "RRPF");
-- 
2.47.2