From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 20 May 2024 10:14:41 +0000 (+0200)
Subject: rrl: truncate only answers sent over pure UDP
X-Git-Tag: v6.0.9~1^2~50
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=refs%2Fenvironments%2Fdocs-develop-rrl-8r8r8r%2Fdeployments%2F4124;p=thirdparty%2Fknot-resolver.git

rrl: truncate only answers sent over pure UDP
---

diff --git a/daemon/rrl/api.c b/daemon/rrl/api.c
index 367ebe87a..9ec25e370 100644
--- a/daemon/rrl/api.c
+++ b/daemon/rrl/api.c
@@ -183,7 +183,11 @@ bool kr_rrl_request_begin(struct kr_request *req)
 	}
 	if (!limited) return false;
 
-	if (limited == 1) {
+	if (limited == 1) { // TC=1: return truncated reply to force source IP validation
+		// We only do this on pure UDP.  (also TODO if cookies get implemented)
+		const bool ip_validated = req->qsource.flags.tcp || req->qsource.flags.tls;
+		if (ip_validated) return false;
+
 		knot_pkt_t *answer = kr_request_ensure_answer(req);
 		if (!answer) { // something bad; TODO: perhaps improve recovery from this
 			kr_assert(false);
@@ -191,7 +195,8 @@ bool kr_rrl_request_begin(struct kr_request *req)
 		}
 		// at this point the packet should be pretty clear
 
-		// TC=1.
+		// The TC=1 answer is not perfect, as the right RCODE might differ
+		// in some cases, but @vcunat thinks that NOERROR isn't really risky here.
 		knot_wire_set_tc(answer->wire);
 		knot_wire_clear_ad(answer->wire);
 		req->state = KR_STATE_DONE;