1 files changed, 82 insertions, 17 deletions
diff --git a/contrib/unbound/iterator/iterator.h b/contrib/unbound/iterator/iterator.h
index 8b840528d9d9..ae4b4e45170a 100644
--- a/contrib/unbound/iterator/iterator.h
+++ b/contrib/unbound/iterator/iterator.h
@@ -46,8 +46,6 @@
 #include "util/data/msgreply.h"
 #include "util/module.h"
 struct delegpt;
-struct iter_hints;
-struct iter_forwards;
 struct iter_donotq;
 struct iter_prep_list;
 struct iter_priv;
@@ -55,17 +53,19 @@ struct rbtree_type;
 
 /** max number of targets spawned for a query and its subqueries */
 #define MAX_TARGET_COUNT	64
+/** max number of upstream queries for a query and its subqueries, it is
+ * never reset. */
+extern int MAX_GLOBAL_QUOTA;
 /** max number of target lookups per qstate, per delegation point */
 #define MAX_DP_TARGET_COUNT	16
 /** max number of nxdomains allowed for target lookups for a query and
  * its subqueries */
 #define MAX_TARGET_NX		5
-/** max number of query restarts. Determines max number of CNAME chain. */
-#define MAX_RESTART_COUNT	11
+/** max number of nxdomains allowed for target lookups for a query and
+ * its subqueries when fallback has kicked in */
+#define MAX_TARGET_NX_FALLBACK	(MAX_TARGET_NX*2)
 /** max number of referrals. Makes sure resolver does not run away */
 #define MAX_REFERRAL_COUNT	130
-/** max number of queries-sent-out.  Make sure large NS set does not loop */
-#define MAX_SENT_COUNT		32
 /** max number of queries for which to perform dnsseclameness detection,
  * (rrsigs missing detection) after that, just pick up that response */
 #define DNSSEC_LAME_DETECT_COUNT 4
@@ -91,18 +91,39 @@ struct rbtree_type;
 extern int UNKNOWN_SERVER_NICENESS;
 /** maximum timeout before a host is deemed unsuitable, in msec. 
  * After host_ttl this will be timed out and the host will be tried again. 
- * Equals RTT_MAX_TIMEOUT
- */
-#define USEFUL_SERVER_TOP_TIMEOUT	120000
+ * Equals RTT_MAX_TIMEOUT, and thus when RTT_MAX_TIMEOUT is overwritten by
+ * config infra_cache_max_rtt, it will be overwritten as well. */
+extern int USEFUL_SERVER_TOP_TIMEOUT;
+/** penalty to validation failed blacklisted IPs
+ * Equals USEFUL_SERVER_TOP_TIMEOUT*4, and thus when RTT_MAX_TIMEOUT is
+ * overwritten by config infra_cache_max_rtt, it will be overwritten as well. */
+extern int BLACKLIST_PENALTY;
 /** RTT band, within this amount from the best, servers are chosen randomly.
  * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a 
  * fast server, this causes server exploration as a side benefit. msec. */
 #define RTT_BAND 400
-/** Start value for blacklisting a host, 2*USEFUL_SERVER_TOP_TIMEOUT in sec */
-#define INFRA_BACKOFF_INITIAL 240
+/** Number of retries for empty nodata packets before it is accepted. */
+#define EMPTY_NODATA_RETRY_COUNT 2
+
+/**
+ * Iterator global state for nat64.
+ */
+struct iter_nat64 {
+	/** A flag to locally apply NAT64 to make IPv4 addrs into IPv6 */
+	int use_nat64;
+
+	/** NAT64 prefix address, cf. dns64_env->prefix_addr */
+	struct sockaddr_storage nat64_prefix_addr;
+
+	/** sizeof(sockaddr_in6) */
+	socklen_t nat64_prefix_addrlen;
+
+	/** CIDR mask length of NAT64 prefix */
+	int nat64_prefix_net;
+};
 
 /**
- * Global state for the iterator. 
+ * Global state for the iterator.
  */
 struct iter_env {
 	/** A flag to indicate whether or not we have an IPv6 route */
@@ -111,6 +132,9 @@ struct iter_env {
 	/** A flag to indicate whether or not we have an IPv4 route */
 	int supports_ipv4;
 
+	/** State for nat64 */
+	struct iter_nat64 nat64;
+
 	/** A set of inetaddrs that should never be queried. */
 	struct iter_donotq* donotq;
 
@@ -140,6 +164,12 @@ struct iter_env {
 
 	/** number of retries on outgoing queries */
 	int outbound_msg_retry;
+
+	/** number of queries_sent */
+	int max_sent_count;
+
+	/** max number of query restarts to limit length of CNAME chain */
+	int max_query_restarts;
 };
 
 /**
@@ -218,6 +248,24 @@ enum iter_state {
 };
 
 /**
+ * Shared counters for queries.
+ */
+enum target_count_variables {
+	/** Reference count for the shared iter_qstate->target_count. */
+	TARGET_COUNT_REF = 0,
+	/** Number of target queries spawned for the query and subqueries. */
+	TARGET_COUNT_QUERIES,
+	/** Number of nxdomain responses encountered. */
+	TARGET_COUNT_NX,
+	/** Global quota on number of queries to upstream servers per
+	 * client request, that is never reset. */
+	TARGET_COUNT_GLOBAL_QUOTA,
+
+	/** This should stay last here, it is used for the allocation */
+	TARGET_COUNT_MAX,
+};
+
+/**
  * Per query state for the iterator module.
  */
 struct iter_qstate {
@@ -304,21 +352,26 @@ struct iter_qstate {
 	/** the number of times this query has been restarted. */
 	int query_restart_count;
 
-	/** the number of times this query as followed a referral. */
+	/** the number of times this query has followed a referral. */
 	int referral_count;
 
 	/** number of queries fired off */
 	int sent_count;
 	
-	/** number of target queries spawned in [1], for this query and its
-	 * subqueries, the malloced-array is shared, [0] refcount.
-	 * in [2] the number of nxdomains is counted. */
+	/** malloced-array shared with this query and its subqueries. It keeps
+	 * track of the defined enum target_count_variables counters. */
 	int* target_count;
 
 	/** number of target lookups per delegation point. Reset to 0 after
 	 * receiving referral answer. Not shared with subqueries. */
 	int dp_target_count;
 
+	/** Delegation point that triggered the NXNS fallback; shared with
+	 * this query and its subqueries, count-referenced by the reference
+	 * counter in target_count.
+	 * This also marks the fallback activation. */
+	uint8_t** nxns_dp;
+
 	/** if true, already tested for ratelimiting and passed the test */
 	int ratelimit_ok;
 
@@ -376,6 +429,11 @@ struct iter_qstate {
 	 */
 	int refetch_glue;
 
+	/**
+	 * This flag detects that a completely empty nodata was received,
+	 * already so that it is accepted later. */
+	int empty_nodata_found;
+
 	/** list of pending queries to authoritative servers. */
 	struct outbound_list outlist;
 
@@ -412,7 +470,14 @@ struct iter_qstate {
 	/** true if there have been parse failures of reply packets */
 	int parse_failures;
 	/** a failure printout address for last received answer */
-	struct comm_reply* fail_reply;
+	union {
+		struct in_addr in;
+#ifdef AF_INET6
+		struct in6_addr in6;
+#endif
+	} fail_addr;
+	/** which fail_addr, 0 is nothing, 4 or 6 */
+	int fail_addr_type;
 };
 
 /**