From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 15 Jun 2026 14:04:24 +0000 (+0200)
Subject: - Fix that misconfigured `iter-scrub-ns: 0` causes request
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f5348ab476a1abda6b1d873ff773516bdc60ae7;p=thirdparty%2Funbound.git

- Fix that misconfigured `iter-scrub-ns: 0` causes request
  failures. Thanks to Qifan Zhang, Palo Alto Networks,
  for the report.
---

diff --git a/doc/Changelog b/doc/Changelog
index a64f8b66e..ac17fa191 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -14,6 +14,9 @@
 	- Fix buffer overflow when configured with lower than
 	  default size and http transfer. Thanks to Qifan Zhang,
 	  Palo Alto Networks, for the report.
+	- Fix that misconfigured `iter-scrub-ns: 0` causes request
+	  failures. Thanks to Qifan Zhang, Palo Alto Networks,
+	  for the report.
 
 12 June 2026: Wouter
 	- Fix that for auth-zone and rpz zones the allow-notify
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index 033bfd909..f2f20a5c1 100644
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -408,6 +408,8 @@ shorten_rrset(sldns_buffer* pkt, struct rrset_parse* rrset, int count)
 	struct rr_parse* rr = rrset->rr_first, *prev = NULL;
 	if(!rr)
 		return;
+	if(count < 1)
+		return; /* cannot leave a still-linked rrset_parse with rr_count == 0 */
 	for(i=0; i<count; i++) {
 		prev = rr;
 		rr = rr->next;
diff --git a/testdata/iter_scrub_ns_min.rpl b/testdata/iter_scrub_ns_min.rpl
new file mode 100644
index 000000000..0cf115bc7
--- /dev/null
+++ b/testdata/iter_scrub_ns_min.rpl
@@ -0,0 +1,197 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	minimal-responses: yes
+	iter-scrub-promiscuous: yes
+	iter-scrub-ns: 1
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test resolution with minimum iter-scrub-ns
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+.			518400	IN	NS	i.root-servers.net.
+.			518400	IN	NS	b.root-servers.net.
+.			518400	IN	NS	d.root-servers.net.
+.			518400	IN	NS	f.root-servers.net.
+.			518400	IN	NS	e.root-servers.net.
+.			518400	IN	NS	j.root-servers.net.
+.			518400	IN	NS	m.root-servers.net.
+.			518400	IN	NS	h.root-servers.net.
+.			518400	IN	NS	k.root-servers.net.
+.			518400	IN	NS	c.root-servers.net.
+.			518400	IN	NS	a.root-servers.net.
+.			518400	IN	NS	l.root-servers.net.
+.			518400	IN	NS	g.root-servers.net.
+SECTION ADDITIONAL
+m.root-servers.net.	518400	IN	AAAA	2001:dc3::35
+l.root-servers.net.	518400	IN	AAAA	2001:500:9f::42
+k.root-servers.net.	518400	IN	AAAA	2001:7fd::1
+j.root-servers.net.	518400	IN	AAAA	2001:503:c27::2:30
+i.root-servers.net.	518400	IN	AAAA	2001:7fe::53
+h.root-servers.net.	518400	IN	AAAA	2001:500:1::53
+g.root-servers.net.	518400	IN	AAAA	2001:500:12::d0d
+f.root-servers.net.	518400	IN	AAAA	2001:500:2f::f
+e.root-servers.net.	518400	IN	AAAA	2001:500:a8::e
+d.root-servers.net.	518400	IN	AAAA	2001:500:2d::d
+c.root-servers.net.	518400	IN	AAAA	2001:500:2::c
+b.root-servers.net.	518400	IN	AAAA	2801:1b8:10::b
+a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
+m.root-servers.net.	518400	IN	A	202.12.27.33
+l.root-servers.net.	518400	IN	A	199.7.83.42
+k.root-servers.net.	518400	IN	A	193.0.14.129
+j.root-servers.net.	518400	IN	A	192.58.128.30
+i.root-servers.net.	518400	IN	A	192.36.148.17
+h.root-servers.net.	518400	IN	A	198.97.190.53
+g.root-servers.net.	518400	IN	A	192.112.36.4
+f.root-servers.net.	518400	IN	A	192.5.5.241
+e.root-servers.net.	518400	IN	A	192.203.230.10
+d.root-servers.net.	518400	IN	A	199.7.91.13
+c.root-servers.net.	518400	IN	A	192.33.4.12
+b.root-servers.net.	518400	IN	A	170.247.170.2
+a.root-servers.net.	518400	IN	A	198.41.0.4
+ENTRY_END
+RANGE_END
+
+; I.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 192.36.148.17
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+.			518400	IN	NS	i.root-servers.net.
+.			518400	IN	NS	b.root-servers.net.
+.			518400	IN	NS	d.root-servers.net.
+.			518400	IN	NS	f.root-servers.net.
+.			518400	IN	NS	e.root-servers.net.
+.			518400	IN	NS	j.root-servers.net.
+.			518400	IN	NS	m.root-servers.net.
+.			518400	IN	NS	h.root-servers.net.
+.			518400	IN	NS	k.root-servers.net.
+.			518400	IN	NS	c.root-servers.net.
+.			518400	IN	NS	a.root-servers.net.
+.			518400	IN	NS	l.root-servers.net.
+.			518400	IN	NS	g.root-servers.net.
+SECTION ADDITIONAL
+m.root-servers.net.	518400	IN	AAAA	2001:dc3::35
+l.root-servers.net.	518400	IN	AAAA	2001:500:9f::42
+k.root-servers.net.	518400	IN	AAAA	2001:7fd::1
+j.root-servers.net.	518400	IN	AAAA	2001:503:c27::2:30
+i.root-servers.net.	518400	IN	AAAA	2001:7fe::53
+h.root-servers.net.	518400	IN	AAAA	2001:500:1::53
+g.root-servers.net.	518400	IN	AAAA	2001:500:12::d0d
+f.root-servers.net.	518400	IN	AAAA	2001:500:2f::f
+e.root-servers.net.	518400	IN	AAAA	2001:500:a8::e
+d.root-servers.net.	518400	IN	AAAA	2001:500:2d::d
+c.root-servers.net.	518400	IN	AAAA	2001:500:2::c
+b.root-servers.net.	518400	IN	AAAA	2801:1b8:10::b
+a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
+m.root-servers.net.	518400	IN	A	202.12.27.33
+l.root-servers.net.	518400	IN	A	199.7.83.42
+k.root-servers.net.	518400	IN	A	193.0.14.129
+j.root-servers.net.	518400	IN	A	192.58.128.30
+i.root-servers.net.	518400	IN	A	192.36.148.17
+h.root-servers.net.	518400	IN	A	198.97.190.53
+g.root-servers.net.	518400	IN	A	192.112.36.4
+f.root-servers.net.	518400	IN	A	192.5.5.241
+e.root-servers.net.	518400	IN	A	192.203.230.10
+d.root-servers.net.	518400	IN	A	199.7.91.13
+c.root-servers.net.	518400	IN	A	192.33.4.12
+b.root-servers.net.	518400	IN	A	170.247.170.2
+a.root-servers.net.	518400	IN	A	198.41.0.4
+ENTRY_END
+RANGE_END
+
+; I.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 2001:7fe::53
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+.			518400	IN	NS	i.root-servers.net.
+.			518400	IN	NS	b.root-servers.net.
+.			518400	IN	NS	d.root-servers.net.
+.			518400	IN	NS	f.root-servers.net.
+.			518400	IN	NS	e.root-servers.net.
+.			518400	IN	NS	j.root-servers.net.
+.			518400	IN	NS	m.root-servers.net.
+.			518400	IN	NS	h.root-servers.net.
+.			518400	IN	NS	k.root-servers.net.
+.			518400	IN	NS	c.root-servers.net.
+.			518400	IN	NS	a.root-servers.net.
+.			518400	IN	NS	l.root-servers.net.
+.			518400	IN	NS	g.root-servers.net.
+SECTION ADDITIONAL
+m.root-servers.net.	518400	IN	AAAA	2001:dc3::35
+l.root-servers.net.	518400	IN	AAAA	2001:500:9f::42
+k.root-servers.net.	518400	IN	AAAA	2001:7fd::1
+j.root-servers.net.	518400	IN	AAAA	2001:503:c27::2:30
+i.root-servers.net.	518400	IN	AAAA	2001:7fe::53
+h.root-servers.net.	518400	IN	AAAA	2001:500:1::53
+g.root-servers.net.	518400	IN	AAAA	2001:500:12::d0d
+f.root-servers.net.	518400	IN	AAAA	2001:500:2f::f
+e.root-servers.net.	518400	IN	AAAA	2001:500:a8::e
+d.root-servers.net.	518400	IN	AAAA	2001:500:2d::d
+c.root-servers.net.	518400	IN	AAAA	2001:500:2::c
+b.root-servers.net.	518400	IN	AAAA	2801:1b8:10::b
+a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
+m.root-servers.net.	518400	IN	A	202.12.27.33
+l.root-servers.net.	518400	IN	A	199.7.83.42
+k.root-servers.net.	518400	IN	A	193.0.14.129
+j.root-servers.net.	518400	IN	A	192.58.128.30
+i.root-servers.net.	518400	IN	A	192.36.148.17
+h.root-servers.net.	518400	IN	A	198.97.190.53
+g.root-servers.net.	518400	IN	A	192.112.36.4
+f.root-servers.net.	518400	IN	A	192.5.5.241
+e.root-servers.net.	518400	IN	A	192.203.230.10
+d.root-servers.net.	518400	IN	A	199.7.91.13
+c.root-servers.net.	518400	IN	A	192.33.4.12
+b.root-servers.net.	518400	IN	A	170.247.170.2
+a.root-servers.net.	518400	IN	A	198.41.0.4
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+. IN NS
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+.			518400	IN	NS	i.root-servers.net.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+i.root-servers.net.	518400	IN	AAAA	2001:7fe::53
+i.root-servers.net.	518400	IN	A	192.36.148.17
+ENTRY_END
+
+SCENARIO_END
diff --git a/util/config_file.c b/util/config_file.c
index edd12fb2e..e026047ab 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -776,7 +776,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("ede:", ede)
 	else S_YNO("ede-serve-expired:", ede_serve_expired)
 	else S_YNO("dns-error-reporting:", dns_error_reporting)
-	else S_NUMBER_OR_ZERO("iter-scrub-ns:", iter_scrub_ns)
+	else S_NUMBER_NONZERO("iter-scrub-ns:", iter_scrub_ns)
 	else S_NUMBER_OR_ZERO("iter-scrub-cname:", iter_scrub_cname)
 	else S_NUMBER_OR_ZERO("iter-scrub-rrsig:", iter_scrub_rrsig)
 	else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous)
diff --git a/util/configparser.y b/util/configparser.y
index 64a4e589d..71cb56ba9 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -4265,8 +4265,8 @@ server_cookie_secret_file: VAR_COOKIE_SECRET_FILE STRING_ARG
 server_iter_scrub_ns: VAR_ITER_SCRUB_NS STRING_ARG
 	{
 		OUTYY(("P(server_iter_scrub_ns:%s)\n", $2));
-		if(atoi($2) == 0 && strcmp($2, "0") != 0)
-			yyerror("number expected");
+		if(atoi($2) < 1)
+			yyerror("number >= 1 expected");
 		else cfg_parser->cfg->iter_scrub_ns = atoi($2);
 		free($2);
 	}