From 6d4335867538e9b2877934b543daf29ab9d833a7 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Mon, 20 May 2024 12:14:41 +0200
Subject: [PATCH] rrl: truncate only answers sent over pure UDP

---
 daemon/rrl/api.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/daemon/rrl/api.c b/daemon/rrl/api.c
index 367ebe87a..9ec25e370 100644
--- a/daemon/rrl/api.c
+++ b/daemon/rrl/api.c
@@ -183,7 +183,11 @@ bool kr_rrl_request_begin(struct kr_request *req)
 	}
 	if (!limited) return false;
 
-	if (limited == 1) {
+	if (limited == 1) { // TC=1: return truncated reply to force source IP validation
+		// We only do this on pure UDP.  (also TODO if cookies get implemented)
+		const bool ip_validated = req->qsource.flags.tcp || req->qsource.flags.tls;
+		if (ip_validated) return false;
+
 		knot_pkt_t *answer = kr_request_ensure_answer(req);
 		if (!answer) { // something bad; TODO: perhaps improve recovery from this
 			kr_assert(false);
@@ -191,7 +195,8 @@ bool kr_rrl_request_begin(struct kr_request *req)
 		}
 		// at this point the packet should be pretty clear
 
-		// TC=1.
+		// The TC=1 answer is not perfect, as the right RCODE might differ
+		// in some cases, but @vcunat thinks that NOERROR isn't really risky here.
 		knot_wire_set_tc(answer->wire);
 		knot_wire_clear_ad(answer->wire);
 		req->state = KR_STATE_DONE;
-- 
2.47.2