Clear dns64_aaaaok immediately after use

The DNS64 state information stored in client->query.dns64_aaaaok
could cause an assertion failure in query_respond() if the server
was configured in such a way as to trigger a new recursion before
the query had been reset - for example, by using the filter-aaaa
plugin, which may need to recurse to find out whether an A record
exists.

This has been addressed by clearing DNS64 state information
immediately after the call to query_filter64().

diff --git a/bin/tests/system/filters/ns1/unsigned.db b/bin/tests/system/filters/ns1/unsigned.db
index 76312010718ac59957adc58c8babacd6f1ed57a6..02a6dfc34fd64ff6c6301de9fd8bc66f4e0a575c 100644 (file)
--- a/bin/tests/system/filters/ns1/unsigned.db
+++ b/bin/tests/system/filters/ns1/unsigned.db
@@ -12,3 +12,8 @@ dual          A       1.0.0.6
 dual           AAAA    2001:db8::6
 mx             A       1.0.0.3
 mx             AAAA    2001:db8::3
+
+; one of these AAAA addresses is excluded in named.conf
+excludeone     A       1.0.0.6
+excludeone     AAAA    ::1
+excludeone     AAAA    2001:db8::6

diff --git a/bin/tests/system/filters/ns4/unsigned.db b/bin/tests/system/filters/ns4/unsigned.db
index c83c1d2df90e3b6c6616c3342aff0e42ce7a245b..94f6299aa7c732ae028f83d959ca5dc4108749ce 100644 (file)
--- a/bin/tests/system/filters/ns4/unsigned.db
+++ b/bin/tests/system/filters/ns4/unsigned.db
@@ -12,3 +12,8 @@ dual          A       1.0.0.6
 dual           AAAA    2001:db8::6
 mx             A       1.0.0.3
 mx             AAAA    2001:db8::3
+
+; one of these AAAA addresses is excluded in named.conf
+excludeone     A       1.0.0.6
+excludeone     AAAA    ::1
+excludeone     AAAA    2001:db8::6

diff --git a/bin/tests/system/filters/ns5/named.conf.j2 b/bin/tests/system/filters/ns5/named.conf.j2
index 3ec78bd1a392f9f7e35ec8d8dbbd3de0f65f54cf..523e3aca446a5a4b1b0d41c10d02a9129b8353e7 100644 (file)
--- a/bin/tests/system/filters/ns5/named.conf.j2
+++ b/bin/tests/system/filters/ns5/named.conf.j2
@@ -10,9 +10,9 @@ options {
        dnssec-validation no;
        notify yes;
        dns64 64:ff9b::/96 {
-                           clients { any; };
-                           exclude { any; };
-                           mapped { any; };
+               clients { any; };
+               exclude { ::1/128; };
+               mapped { any; };
        };
        minimal-responses no;
 };

diff --git a/bin/tests/system/filters/tests_filter_dns64.py b/bin/tests/system/filters/tests_filter_dns64.py
index dfa71b76c1d3b93398ac4b60fc029a979d7b712e..2f5409ddfd312bea1d0cbf800fa849879b73768e 100644 (file)
--- a/bin/tests/system/filters/tests_filter_dns64.py
+++ b/bin/tests/system/filters/tests_filter_dns64.py
@@ -25,3 +25,7 @@ def test_filter_dns64():
     msg = isctest.query.create("aaaa-only.unsigned", "aaaa")
     res = isctest.query.tcp(msg, "10.53.0.5")
     isctest.check.noerror(res)
+
+    msg = isctest.query.create("excludeone.unsigned", "aaaa")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.noerror(res)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 7b1ed3a01581d091f4bbba7bcfd9fe18c628f5ca..fbb9e8213b485920dfb5d487471b359a8005bab4 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -7940,6 +7940,10 @@ query_addanswer(query_ctx_t *qctx) {
        } else if (qctx->client->query.dns64_aaaaok != NULL) {
                query_filter64(qctx);
                ns_client_putrdataset(qctx->client, &qctx->rdataset);
+               isc_mem_cput(qctx->client->manager->mctx,
+                            qctx->client->query.dns64_aaaaok,
+                            qctx->client->query.dns64_aaaaoklen, sizeof(bool));
+               qctx->client->query.dns64_aaaaoklen = 0;
        } else {
                if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
                        query_prefetch(qctx->client, qctx->fname,