lib/rules: when forwarding, avoid resolving NS's name

With "authoritative forwarding" it could happen that NS selection decided to resolve the virtual ns.invalid name of the NS to get either A or AAAA (if either was missing in the forwarding rule).
CZ-NIC · Aug 3, 2023 · 87e3613 · 87e3613
1 parent c123ea3
commit 87e3613
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 0 deletions.
diff --git a/lib/rules/forward.c b/lib/rules/forward.c
@@ -97,6 +97,7 @@ int kr_rule_data_src_check(struct kr_query *qry, struct knot_pkt *pkt)
 			labels > qry->data_src.rule_depth;
 			--labels, apex = knot_wire_next_label(apex, NULL));
 		kr_zonecut_set(&qry->zone_cut, apex);
+		qry->zone_cut.avoid_resolving = true;
 		knot_db_val_t targets = qry->data_src.targets_ptr;
 		kr_assert(targets.len > 0);
 		while (targets.len > 0) {

diff --git a/lib/selection_iter.c b/lib/selection_iter.c
@@ -162,6 +162,9 @@ static int get_resolvable_names(struct iter_local_state *local_state,
 	if (qry->sname[0] == '\0' && qry->stype == KNOT_RRTYPE_DNSKEY) {
 		return 0;
 	}
+	if (qry->zone_cut.avoid_resolving) {
+		return 0;
+	}
 
 	unsigned count = 0;
 	trie_it_t *it;

diff --git a/lib/zonecut.h b/lib/zonecut.h
@@ -23,6 +23,7 @@ struct kr_zonecut {
 	struct kr_zonecut *parent; /**< Parent zone cut. */
 	trie_t *nsset;        /**< Map of nameserver => address_set (pack_t). */
 	knot_mm_t *pool;     /**< Memory pool. */
+	bool avoid_resolving; /**< Avoid resolving the NS names. */
 };
 
 /**