- Fix that misconfigured `iter-scrub-ns: 0` causes request

  failures. Thanks to Qifan Zhang, Palo Alto Networks,
  for the report.

diff --git a/doc/Changelog b/doc/Changelog
index a64f8b66e1a4f9cc2921bf07aeede469aa038a89..ac17fa191ef21b2d8a2671ea6ebcf99f5fb155da 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -14,6 +14,9 @@
        - Fix buffer overflow when configured with lower than
          default size and http transfer. Thanks to Qifan Zhang,
          Palo Alto Networks, for the report.
+       - Fix that misconfigured `iter-scrub-ns: 0` causes request
+         failures. Thanks to Qifan Zhang, Palo Alto Networks,
+         for the report.
 
 12 June 2026: Wouter
        - Fix that for auth-zone and rpz zones the allow-notify

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index 033bfd9093556fbe027b628b495b4b5bf8ed4c41..f2f20a5c1ad309585d31ba54772ba1f3ab4d69ba 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -408,6 +408,8 @@ shorten_rrset(sldns_buffer* pkt, struct rrset_parse* rrset, int count)
        struct rr_parse* rr = rrset->rr_first, *prev = NULL;
        if(!rr)
                return;
+       if(count < 1)
+               return; /* cannot leave a still-linked rrset_parse with rr_count == 0 */
        for(i=0; i<count; i++) {
                prev = rr;
                rr = rr->next;

diff --git a/testdata/iter_scrub_ns_min.rpl b/testdata/iter_scrub_ns_min.rpl
new file mode 100644 (file)
index 0000000..0cf115b
--- /dev/null
+++ b/testdata/iter_scrub_ns_min.rpl
@@ -0,0 +1,197 @@
+; config options
+server:
+       target-fetch-policy: "0 0 0 0 0"
+       qname-minimisation: no
+       minimal-responses: yes
+       iter-scrub-promiscuous: yes
+       iter-scrub-ns: 1
+
+stub-zone:
+       name: "."
+       stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test resolution with minimum iter-scrub-ns
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+       ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+.                      518400  IN      NS      i.root-servers.net.
+.                      518400  IN      NS      b.root-servers.net.
+.                      518400  IN      NS      d.root-servers.net.
+.                      518400  IN      NS      f.root-servers.net.
+.                      518400  IN      NS      e.root-servers.net.
+.                      518400  IN      NS      j.root-servers.net.
+.                      518400  IN      NS      m.root-servers.net.
+.                      518400  IN      NS      h.root-servers.net.
+.                      518400  IN      NS      k.root-servers.net.
+.                      518400  IN      NS      c.root-servers.net.
+.                      518400  IN      NS      a.root-servers.net.
+.                      518400  IN      NS      l.root-servers.net.
+.                      518400  IN      NS      g.root-servers.net.
+SECTION ADDITIONAL
+m.root-servers.net.    518400  IN      AAAA    2001:dc3::35
+l.root-servers.net.    518400  IN      AAAA    2001:500:9f::42
+k.root-servers.net.    518400  IN      AAAA    2001:7fd::1
+j.root-servers.net.    518400  IN      AAAA    2001:503:c27::2:30
+i.root-servers.net.    518400  IN      AAAA    2001:7fe::53
+h.root-servers.net.    518400  IN      AAAA    2001:500:1::53
+g.root-servers.net.    518400  IN      AAAA    2001:500:12::d0d
+f.root-servers.net.    518400  IN      AAAA    2001:500:2f::f
+e.root-servers.net.    518400  IN      AAAA    2001:500:a8::e
+d.root-servers.net.    518400  IN      AAAA    2001:500:2d::d
+c.root-servers.net.    518400  IN      AAAA    2001:500:2::c
+b.root-servers.net.    518400  IN      AAAA    2801:1b8:10::b
+a.root-servers.net.    518400  IN      AAAA    2001:503:ba3e::2:30
+m.root-servers.net.    518400  IN      A       202.12.27.33
+l.root-servers.net.    518400  IN      A       199.7.83.42
+k.root-servers.net.    518400  IN      A       193.0.14.129
+j.root-servers.net.    518400  IN      A       192.58.128.30
+i.root-servers.net.    518400  IN      A       192.36.148.17
+h.root-servers.net.    518400  IN      A       198.97.190.53
+g.root-servers.net.    518400  IN      A       192.112.36.4
+f.root-servers.net.    518400  IN      A       192.5.5.241
+e.root-servers.net.    518400  IN      A       192.203.230.10
+d.root-servers.net.    518400  IN      A       199.7.91.13
+c.root-servers.net.    518400  IN      A       192.33.4.12
+b.root-servers.net.    518400  IN      A       170.247.170.2
+a.root-servers.net.    518400  IN      A       198.41.0.4
+ENTRY_END
+RANGE_END
+
+; I.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+       ADDRESS 192.36.148.17
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+.                      518400  IN      NS      i.root-servers.net.
+.                      518400  IN      NS      b.root-servers.net.
+.                      518400  IN      NS      d.root-servers.net.
+.                      518400  IN      NS      f.root-servers.net.
+.                      518400  IN      NS      e.root-servers.net.
+.                      518400  IN      NS      j.root-servers.net.
+.                      518400  IN      NS      m.root-servers.net.
+.                      518400  IN      NS      h.root-servers.net.
+.                      518400  IN      NS      k.root-servers.net.
+.                      518400  IN      NS      c.root-servers.net.
+.                      518400  IN      NS      a.root-servers.net.
+.                      518400  IN      NS      l.root-servers.net.
+.                      518400  IN      NS      g.root-servers.net.
+SECTION ADDITIONAL
+m.root-servers.net.    518400  IN      AAAA    2001:dc3::35
+l.root-servers.net.    518400  IN      AAAA    2001:500:9f::42
+k.root-servers.net.    518400  IN      AAAA    2001:7fd::1
+j.root-servers.net.    518400  IN      AAAA    2001:503:c27::2:30
+i.root-servers.net.    518400  IN      AAAA    2001:7fe::53
+h.root-servers.net.    518400  IN      AAAA    2001:500:1::53
+g.root-servers.net.    518400  IN      AAAA    2001:500:12::d0d
+f.root-servers.net.    518400  IN      AAAA    2001:500:2f::f
+e.root-servers.net.    518400  IN      AAAA    2001:500:a8::e
+d.root-servers.net.    518400  IN      AAAA    2001:500:2d::d
+c.root-servers.net.    518400  IN      AAAA    2001:500:2::c
+b.root-servers.net.    518400  IN      AAAA    2801:1b8:10::b
+a.root-servers.net.    518400  IN      AAAA    2001:503:ba3e::2:30
+m.root-servers.net.    518400  IN      A       202.12.27.33
+l.root-servers.net.    518400  IN      A       199.7.83.42
+k.root-servers.net.    518400  IN      A       193.0.14.129
+j.root-servers.net.    518400  IN      A       192.58.128.30
+i.root-servers.net.    518400  IN      A       192.36.148.17
+h.root-servers.net.    518400  IN      A       198.97.190.53
+g.root-servers.net.    518400  IN      A       192.112.36.4
+f.root-servers.net.    518400  IN      A       192.5.5.241
+e.root-servers.net.    518400  IN      A       192.203.230.10
+d.root-servers.net.    518400  IN      A       199.7.91.13
+c.root-servers.net.    518400  IN      A       192.33.4.12
+b.root-servers.net.    518400  IN      A       170.247.170.2
+a.root-servers.net.    518400  IN      A       198.41.0.4
+ENTRY_END
+RANGE_END
+
+; I.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+       ADDRESS 2001:7fe::53
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+.                      518400  IN      NS      i.root-servers.net.
+.                      518400  IN      NS      b.root-servers.net.
+.                      518400  IN      NS      d.root-servers.net.
+.                      518400  IN      NS      f.root-servers.net.
+.                      518400  IN      NS      e.root-servers.net.
+.                      518400  IN      NS      j.root-servers.net.
+.                      518400  IN      NS      m.root-servers.net.
+.                      518400  IN      NS      h.root-servers.net.
+.                      518400  IN      NS      k.root-servers.net.
+.                      518400  IN      NS      c.root-servers.net.
+.                      518400  IN      NS      a.root-servers.net.
+.                      518400  IN      NS      l.root-servers.net.
+.                      518400  IN      NS      g.root-servers.net.
+SECTION ADDITIONAL
+m.root-servers.net.    518400  IN      AAAA    2001:dc3::35
+l.root-servers.net.    518400  IN      AAAA    2001:500:9f::42
+k.root-servers.net.    518400  IN      AAAA    2001:7fd::1
+j.root-servers.net.    518400  IN      AAAA    2001:503:c27::2:30
+i.root-servers.net.    518400  IN      AAAA    2001:7fe::53
+h.root-servers.net.    518400  IN      AAAA    2001:500:1::53
+g.root-servers.net.    518400  IN      AAAA    2001:500:12::d0d
+f.root-servers.net.    518400  IN      AAAA    2001:500:2f::f
+e.root-servers.net.    518400  IN      AAAA    2001:500:a8::e
+d.root-servers.net.    518400  IN      AAAA    2001:500:2d::d
+c.root-servers.net.    518400  IN      AAAA    2001:500:2::c
+b.root-servers.net.    518400  IN      AAAA    2801:1b8:10::b
+a.root-servers.net.    518400  IN      AAAA    2001:503:ba3e::2:30
+m.root-servers.net.    518400  IN      A       202.12.27.33
+l.root-servers.net.    518400  IN      A       199.7.83.42
+k.root-servers.net.    518400  IN      A       193.0.14.129
+j.root-servers.net.    518400  IN      A       192.58.128.30
+i.root-servers.net.    518400  IN      A       192.36.148.17
+h.root-servers.net.    518400  IN      A       198.97.190.53
+g.root-servers.net.    518400  IN      A       192.112.36.4
+f.root-servers.net.    518400  IN      A       192.5.5.241
+e.root-servers.net.    518400  IN      A       192.203.230.10
+d.root-servers.net.    518400  IN      A       199.7.91.13
+c.root-servers.net.    518400  IN      A       192.33.4.12
+b.root-servers.net.    518400  IN      A       170.247.170.2
+a.root-servers.net.    518400  IN      A       198.41.0.4
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+. IN NS
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+.                      518400  IN      NS      i.root-servers.net.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+i.root-servers.net.    518400  IN      AAAA    2001:7fe::53
+i.root-servers.net.    518400  IN      A       192.36.148.17
+ENTRY_END
+
+SCENARIO_END

diff --git a/util/config_file.c b/util/config_file.c
index edd12fb2e6ab59f2aeb33ff2d317d981b1307a3f..e026047ab317090ea34dac68c9cc4385db858bc2 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -776,7 +776,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
        else S_YNO("ede:", ede)
        else S_YNO("ede-serve-expired:", ede_serve_expired)
        else S_YNO("dns-error-reporting:", dns_error_reporting)
-       else S_NUMBER_OR_ZERO("iter-scrub-ns:", iter_scrub_ns)
+       else S_NUMBER_NONZERO("iter-scrub-ns:", iter_scrub_ns)
        else S_NUMBER_OR_ZERO("iter-scrub-cname:", iter_scrub_cname)
        else S_NUMBER_OR_ZERO("iter-scrub-rrsig:", iter_scrub_rrsig)
        else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous)

diff --git a/util/configparser.y b/util/configparser.y
index 64a4e589d23adc9d4b24548d13f4ae33cbee3e94..71cb56ba9c4fbe6882e1b55396d4f4bc63b1587b 100644 (file)
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -4265,8 +4265,8 @@ server_cookie_secret_file: VAR_COOKIE_SECRET_FILE STRING_ARG
 server_iter_scrub_ns: VAR_ITER_SCRUB_NS STRING_ARG
        {
                OUTYY(("P(server_iter_scrub_ns:%s)\n", $2));
-               if(atoi($2) == 0 && strcmp($2, "0") != 0)
-                       yyerror("number expected");
+               if(atoi($2) < 1)
+                       yyerror("number >= 1 expected");
                else cfg_parser->cfg->iter_scrub_ns = atoi($2);
                free($2);
        }