From e2814fe1651825cd5c7f21032e27e4326111f8f4 Mon Sep 17 00:00:00 2001 From: Yorgos Thessalonikefs Date: Wed, 25 Jun 2025 13:59:17 +0200 Subject: [PATCH] - For #1247, turn off fetch-policy for delegation when looking into parent side name servers that may not update the addresses and hit NXNS limits. --- doc/Changelog | 3 +++ iterator/iter_delegpt.h | 10 ++++++++++ iterator/iterator.c | 4 +++- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index cd09dba64..5be77bedb 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,8 @@ 25 June 2025: Yorgos - Fix #1247: forward-first: ssl handshake failed on root nameservers. + - For #1247, turn off fetch-policy for delegation when looking into + parent side name servers that may not update the addresses and hit + NXNS limits. 20 June 2025: Yorgos - Fix #1293: EDE 6 is attached to insecure cached answers when client diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h index 49f6f6b81..0ae4cbabf 100644 --- a/iterator/iter_delegpt.h +++ b/iterator/iter_delegpt.h @@ -79,6 +79,16 @@ struct delegpt { * Also true if the delegationpoint was created from a delegation * message and thus contains the parent-side-info already. */ uint8_t has_parent_side_NS; + /** if true, the delegation point has reached last resort processing + * and the parent side information has been possibly added to the + * delegation point. + * For now this singals that further target lookups will ignore + * the configured target-fetch-policy and only resolve on + * demand to try and avoid triggering limits at this stage (.i.e, it + * is very likely that the A/AAAA queries for the newly added name + * servers will not yield new IP addresses and trigger NXNS + * countermeasures. */ + uint8_t fallback_to_parent_side_NS; /** for assertions on type of delegpt */ uint8_t dp_type_mlc; /** use SSL for upstream query */ diff --git a/iterator/iterator.c b/iterator/iterator.c index 267eac5b9..71e64655f 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -2152,6 +2152,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL"); return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); } + iq->dp->fallback_to_parent_side_NS = 1; if(qstate->env->cfg->harden_unverified_glue) { if(!cache_fill_missing(qstate->env, iq->qchase.qclass, qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE)) @@ -2772,7 +2773,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, } /* if the mesh query list is full, then do not waste cpu and sockets to * fetch promiscuous targets. They can be looked up when needed. */ - if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) { + if(!iq->dp->fallback_to_parent_side_NS && can_do_promisc + && !mesh_jostle_exceeded(qstate->env->mesh)) { tf_policy = ie->target_fetch_policy[iq->depth]; } -- 2.47.2