- Scrub NS records from NODATA responses as well.

git-svn-id: file:///svn/unbound/trunk@4964 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index d02f00a61d9c4faa5a70f5848b980041147a7e9f..c339e15b6ddb9fb53f902d3692103fe334617a8b 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+21 November 2018: Wouter
+       - Scrub NS records from NODATA responses as well.
+
 20 November 2018: Wouter
        - Scrub NS records from NXDOMAIN responses to stop fragmentation
          poisoning of the cache.

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index a1cd0f441495fb24c63e6f14c896f77fee606630..8cc5effe849d3db55bcd702874d69ce69041d4a4 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -502,7 +502,14 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
                         * from. eg. fragmentation attacks, inserted after
                         * long RRSIGs in the packet get to the packet
                         * border and such */
-                       if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) {
+                       /* also for NODATA answers
+                        * (nodata has an empty answer section, ie. the
+                        * first rr is from the next section */
+                       if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN ||
+                          (FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR
+                           && (msg->rrset_first->section == LDNS_SECTION_AUTHORITY
+                               || msg->rrset_first->section == LDNS_SECTION_ADDITIONAL)
+                          )) {
                                remove_rrset("normalize: removing irrelevant "
                                        "RRset:", pkt, msg, prev, &rrset);
                                continue;