Merge branch 'master' into 6.0

a31c0b5a · Vladimír Čunát · dffefd0d · 417c98b2 · a31c0b5a · a31c0b5a
Verified Commit a31c0b5a authored 1 year ago by Vladimír Čunát
--- a/.github/workflows/macOS.yaml
+++ b/.github/workflows/macOS.yaml
@@ -8,7 +8,7 @@ jobs:
    runs-on: macOS-latest
    strategy:
      matrix:
-        knot-version: ['3.1', '3.2']
+        knot-version: ['3.2', '3.3']

    steps:
      - name: Checkout resolver code

--- a/NEWS
+++ b/NEWS
@@ -9,16 +9,27 @@ You will have to rewrite your configuration.  See documentation, in particular:
 https://knot.pages.nic.cz/knot-resolver/upgrading-to-6.html


+
+
+Knot Resolver 5.x.y (202y-mm-dd)
+================================
+
+Bugfixes
+--------
+- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)
+
+
 Knot Resolver 5.7.0 (2023-08-22)
 ================================

 Security
 --------
- avoid excessive TCP reconnections in a few more cases (!NNNN)
+- avoid excessive TCP reconnections in a few more cases (!1448)
  Like before, the remote server had to behave nonsensically in order
  to inflict this upon itself, but it might be abusable for DoS.

  We thank Ivan Jedek from OryxLabs for reporting this.
+  CVE-2023-46317 got later assigned to this issue.

 Improvements
 ------------

--- a/ci/gh_actions.py
+++ b/ci/gh_actions.py
@@ -30,10 +30,11 @@ while time.time() < end_time:
    elif response.status_code == 200:
        data = json.loads(response.content.decode('utf-8'))
        try:
-            run = data['workflow_runs'][0]
-            conclusion = run['conclusion']
-            html_url = run['html_url']
-            commit_sha = run['head_sha']
+            for i in range(0, 1): # two runs ATM
+                run = data['workflow_runs'][i]
+                conclusion = run['conclusion']
+                html_url = run['html_url']
+                commit_sha = run['head_sha']
        except (KeyError, IndexError):
            time.sleep(POLL_DELAY)
            continue

--- a/lib/zonecut.c
+++ b/lib/zonecut.c
@@ -19,8 +19,7 @@
 /** Information for one NS name + address type. */
 typedef enum {
 	AI_UNINITED = 0,
-	AI_REPUT,	/**< Don't use this addrset, due to: cache_rep, NO_IPV6, ...
-			 * cache_rep approximates various problems when fetching the RRset. */
+	AI_DISABLED,	/**< Can't use this addrset. */
 	AI_CYCLED,	/**< Skipped due to cycle detection; see implementation for details. */
 	AI_LAST_BAD = AI_CYCLED, /** bad states: <= AI_LAST_BAD */
 	AI_UNKNOWN,	/**< Don't know status of this RRset; various reasons. */
@@ -289,9 +288,13 @@ static addrset_info_t fetch_addr(pack_t *addrs, const knot_dname_t *ns, uint16_t
 	int rdlen;
 	switch (rrtype) {
 	case KNOT_RRTYPE_A:
+		if (qry->flags.NO_IPV4)
+			return AI_DISABLED;
 		rdlen = 4;
 		break;
 	case KNOT_RRTYPE_AAAA:
+		if (qry->flags.NO_IPV6 || no6_is_bad())
+			return AI_DISABLED;
 		rdlen = 16;
 		break;
 	default: