More strict validation of the relation between qname, rname and authname for NS records

author Otto Moerbeek <otto.moerbeek@open-xchange.com>

Mon, 22 Sep 2025 09:44:12 +0000 (11:44 +0200)

committer Otto Moerbeek <otto.moerbeek@open-xchange.com>

Wed, 22 Oct 2025 07:43:42 +0000 (09:43 +0200)
author Otto Moerbeek <otto.moerbeek@open-xchange.com>
Mon, 22 Sep 2025 09:44:12 +0000 (11:44 +0200)
committer Otto Moerbeek <otto.moerbeek@open-xchange.com>
Wed, 22 Oct 2025 07:43:42 +0000 (09:43 +0200)
diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc

index 30f0b31d07c81d47f22431627bad6513c3435fb0..1e77cb0ca69b47514b65381601d14ae9bdefe57b 100644 (file)
--- a/pdns/recursordist/syncres.cc
+++ b/pdns/recursordist/syncres.cc
@@ -4296,9 +4296,9 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN
          ++skipCount;
          continue;
        }
-      if (rec->d_type == QType::NS && !d_updatingRootNS && rec->d_name == g_rootdnsname) {
+      if (rec->d_type == QType::NS && (!rec->d_name.isPartOf(auth) || (rec->d_name == auth && !d_updatingRootNS) || !qname.isPartOf(rec->d_name))) {
          /*
-         * We don't want to pick up root NS records in AUTHORITY and their associated ADDITIONAL sections of random queries.
+         * We don't want to pick up irrelevant NS records in AUTHORITY and their associated ADDITIONAL sections.
           * So remove them and don't add them to allowedAdditionals.
           */
          LOG(prefix << qname << ": Removing NS record '" << rec->toString() << "' in the AUTHORITY section of a response received from " << auth << endl);
author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Mon, 22 Sep 2025 09:44:12 +0000 (11:44 +0200)
committer	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Wed, 22 Oct 2025 07:43:42 +0000 (09:43 +0200)