to Qifan Zhang, Palo Alto Networks, for the report.
- Fix for autotrust state-file line overflow, that can give
hold-down bypass. Thanks to Qifan Zhang, Palo Alto Networks,
for the report.
+ - Fix to limit the DSNS per-label walk in the iterator. Thanks
+ to Qifan Zhang, Palo Alto Networks, for the report.
26 May 2026: Wouter
- Fix for mesh new client and mesh new callback to rollback the
/* go up one (more) step, until we hit the dp, if so, end */
dname_remove_label(&iq->dsns_point, &iq->dsns_point_len);
+ if(++iq->dsns_count > MAX_DSNS_FIND_COUNT) {
+ verbose(VERB_QUERY, "DS NS search exceeded %d labels",
+ MAX_DSNS_FIND_COUNT);
+ errinf(qstate, "DS NS search exceeded label limit");
+ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
if(query_dname_compare(iq->dsns_point, iq->dp->name) == 0) {
/* there was no inbetween nameserver, use the old delegation
* point again. And this time, because dsns_point is nonNULL
#define RTT_BAND 400
/** Number of retries for empty nodata packets before it is accepted. */
#define EMPTY_NODATA_RETRY_COUNT 2
+/** max label-strip iterations in DSNS_FIND_STATE (RFC 4035 4.2 parent-NS
+ * search) before giving up; bounds upstream NS sends per client DS.
+ * Means the max number of labels in grandchild to the grandparent zone that
+ * are co-hosted. */
+#define MAX_DSNS_FIND_COUNT 20
/**
* Iterator global state for nat64.
uint8_t* dsns_point;
/** length of the dname in dsns_point */
size_t dsns_point_len;
+ /** number of label-strip iterations performed in DSNS_FIND_STATE */
+ int dsns_count;
/**
* expected dnssec information for this iteration step.
projects / thirdparty / unbound.git / commitdiff
