25 June 2025: Yorgos
- Fix #1247: forward-first: ssl handshake failed on root nameservers.
+ - For #1247, turn off fetch-policy for delegation when looking into
+ parent side name servers that may not update the addresses and hit
+ NXNS limits.
20 June 2025: Yorgos
- Fix #1293: EDE 6 is attached to insecure cached answers when client
* Also true if the delegationpoint was created from a delegation
* message and thus contains the parent-side-info already. */
uint8_t has_parent_side_NS;
+ /** if true, the delegation point has reached last resort processing
+ * and the parent side information has been possibly added to the
+ * delegation point.
+ * For now this singals that further target lookups will ignore
+ * the configured target-fetch-policy and only resolve on
+ * demand to try and avoid triggering limits at this stage (.i.e, it
+ * is very likely that the A/AAAA queries for the newly added name
+ * servers will not yield new IP addresses and trigger NXNS
+ * countermeasures. */
+ uint8_t fallback_to_parent_side_NS;
/** for assertions on type of delegpt */
uint8_t dp_type_mlc;
/** use SSL for upstream query */
verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
}
+ iq->dp->fallback_to_parent_side_NS = 1;
if(qstate->env->cfg->harden_unverified_glue) {
if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE))
}
/* if the mesh query list is full, then do not waste cpu and sockets to
* fetch promiscuous targets. They can be looked up when needed. */
- if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) {
+ if(!iq->dp->fallback_to_parent_side_NS && can_do_promisc
+ && !mesh_jostle_exceeded(qstate->env->mesh)) {
tf_policy = ie->target_fetch_policy[iq->depth];
}
projects / thirdparty / unbound.git / commitdiff
