From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 20 May 2026 14:30:37 +0000 (+0200)
Subject: - Fix for signed same-owner CNAME and ordinary RRset responses.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=40b16d05659393cc7923646daa2ac6d2f8d70d9d;p=thirdparty%2Funbound.git

- Fix for signed same-owner CNAME and ordinary RRset responses.
  Thanks to Xin Wang and Jiajia Liu, Northwestern Polytechnical
  University, for the report.
---

diff --git a/doc/Changelog b/doc/Changelog
index 180f0b033..30a6d8a04 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -44,6 +44,9 @@
 	- Fix cleaning up DoH session. The same query can be on multiple
 	  streams in a session. Thanks to Qifan Zhang, Palo Alto Networks,
 	  for the report.
+	- Fix for signed same-owner CNAME and ordinary RRset responses.
+	  Thanks to Xin Wang and Jiajia Liu, Northwestern Polytechnical
+	  University, for the report.
 
 18 May 2026: Wouter
 	- Fix for mixed class referrals, the resolver uses the query
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index 823737d8c..033bfd909 100644
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -492,6 +492,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 	size_t snamelen = qinfo->qname_len;
 	struct rrset_parse* rrset, *prev, *nsset=NULL;
 	int cname_length = 0; /* number of CNAMEs, or DNAMEs */
+	int has_answer = 0; /* if answer section contains nonCNAME,nonDNAME */
 
 	if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR &&
 		FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN &&
@@ -533,6 +534,11 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 					(unsigned)rrset->rr_count);
 				return 0;
 			}
+			if(has_answer) {
+				remove_rrset("normalize: removing DNAME redirection after answer:",
+					pkt, msg, prev, &rrset);
+				continue;
+			}
 			if(!synth_cname(sname, snamelen, rrset, alias, 
 				&aliaslen, pkt)) {
 				verbose(VERB_ALGO, "synthesized CNAME "
@@ -583,6 +589,11 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 		if(rrset->type == LDNS_RR_TYPE_CNAME) {
 			struct rrset_parse* nx = rrset->rrset_all_next;
 			uint8_t* oldsname = sname;
+			if(has_answer) {
+				remove_rrset("normalize: removing redirection after answer:",
+					pkt, msg, prev, &rrset);
+				continue;
+			}
 			cname_length++;
 			/* see if the next one is a DNAME, if so, swap them */
 			if(nx && nx->section == LDNS_SECTION_ANSWER &&
@@ -661,6 +672,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 		 * will be removed by sanitize, so no additional for them */
 		if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0)
 			mark_additional_rrset(pkt, msg, rrset);
+		has_answer = 1;
 		
 		prev = rrset;
 		rrset = rrset->rrset_all_next;
diff --git a/testdata/val_cnameother.rpl b/testdata/val_cnameother.rpl
new file mode 100644
index 000000000..e21c9255b
--- /dev/null
+++ b/testdata/val_cnameother.rpl
@@ -0,0 +1,270 @@
+; config options
+; The island of trust is at test.
+server:
+	trust-anchor: "test. DS 1444 8 2 8a87d067fd09a5965244fe2e317dd26d182c468e0a7f26ecc4c7b479bf89db9b"
+	val-override-date: "20201020135527"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	fake-sha1: yes
+	trust-anchor-signaling: no
+	minimal-responses: no
+	iter-scrub-promiscuous: no
+	aggressive-nsec: yes
+	local-zone: test. nodefault
+	log-servfail: yes
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with CNAME and other data at the name
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+test. IN NS
+SECTION AUTHORITY
+test.	IN NS	ns.test.
+SECTION ADDITIONAL
+ns.test. IN A 1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.test
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+test. IN NS
+SECTION ANSWER
+test.    IN NS   ns.test
+test.	3600	IN	RRSIG	NS 8 1 3600 20201116135527 20201019135527 1444 test. RGCxIO32TbbLTk6xZmTr+fjYPH50hntBxeOQ2DIj2pDsmjALcHYtVkOfpfk2EhOhHZd+9PLuoJPbJh6a9NqLSFeBvr0XZoCZoQ2g0tCHUNHcH5EVjA2TuYBQem6DVYnPLJ3914aRx0uA1j42b8dC2xsam/XkOo7U+dLbUW2Os1s=
+SECTION ADDITIONAL
+ns.test. IN A 1.2.3.5
+ns.test.	3600	IN	RRSIG	A 8 2 3600 20201116135527 20201019135527 1444 test. GskCc4/k6GjH9V9Jz2V5L2XLiizbOeWkB0feSbf+aN859S3vxVvtuqkvIgwY4LafUO1QAn/pUcv9zA7rcFO++rlg+8t6gvZTo9p3v0bfeIv2uJDsfSBD5jDh0WXlxjekfnrKrQp7zE+GiA93tWwKUWKPvxXDgP+n886e6WcbHJw=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.test. IN A
+SECTION ANSWER
+ns.test. IN A 1.2.3.5
+ns.test.	3600	IN	RRSIG	A 8 2 3600 20201116135527 20201019135527 1444 test. GskCc4/k6GjH9V9Jz2V5L2XLiizbOeWkB0feSbf+aN859S3vxVvtuqkvIgwY4LafUO1QAn/pUcv9zA7rcFO++rlg+8t6gvZTo9p3v0bfeIv2uJDsfSBD5jDh0WXlxjekfnrKrQp7zE+GiA93tWwKUWKPvxXDgP+n886e6WcbHJw=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.test. IN AAAA
+SECTION AUTHORITY
+test. 3600 IN SOA ns.test. host.test. 20201 3600 1800 604800 3600
+test.	3600	IN	RRSIG	SOA 8 1 3600 20201116135527 20201019135527 1444 test. IZJIDmEgf0W7A5G7hvvZ2hUqJ9Trbv1/i7ySapDmPbYV9lVCmHHobySxO01yDhI2/Pvpsvxqrm1Tiv3BxH8uzZ4keKgiQjBsSy4htAsFct9I4E7ly2glPj/Fm3oun3PsjJDv5QYhx0KS7w4IQKU7Nc9pfJc92uoUI5bdoC1pRGw=
+ns.test. 3600 IN NSEC nz.test. A RRSIG
+ns.test.	3600	IN	RRSIG	NSEC 8 2 3600 20201116135527 20201019135527 1444 test. PElArVB3KPg8KHAP7lzcNbhFuXNxTsHNTn1dZVncB5qmWRdIaeKpaXDjpH0JSXMaelGFS+/QhuQ6Hmw9+4VyZFRqMzGhw4agUR/2bxABHcDIG4ZpUwyeSP61ATTfHUkQVxaH2wjCWI/tfmesdP2xVE4GXyUvCIBxU914MkZbULU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+test. IN DNSKEY
+SECTION ANSWER
+test.    3600    IN      DNSKEY  257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
+test.	3600	IN	RRSIG	DNSKEY 8 1 3600 20201116135527 20201019135527 1444 test. UmRMS4iG9NBBHZYOtpwFFcJgbEb5SfHSgHd9XRe/8pTWM31WSDayn5ViPOBMqI1T5TXg2amc13dDI574xIM2oKMus3b5cBW72jJLW13jprBtslO6P8BMWb4HNnvLrJtQjwf3ErRirtTxinLmywQtmyr1cdthyG3Gp4N7i90fHSc=
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.test. IN DS
+SECTION ANSWER
+example.test.	3600	IN	DS	55567 8 2 a2d578906330a10a57d40462257b6ce038bad3f7bf4a45c46c46086e20a94b39
+example.test.	3600	IN	RRSIG	DS 8 2 3600 20201116135527 20201019135527 1444 test. P7+FTYW2qHuJ4I1YbuvseEz5X1lOYAraGEHB3C5y0OOCQFmhmSiFRdquNi2NlpcS6FXLdsE0EU+Bo1+0atTG4EkMWXbpF21lrtbB51BdsnlX4Mzc/o375fvjiOMwmF6wPCUaOUN62jrVrhsE/hedaVyDphDToqL17ETohwgUO2I=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.test. IN NS
+SECTION AUTHORITY
+example.test.    IN NS   ns.example.test.
+example.test.	3600	IN	DS	55567 8 2 a2d578906330a10a57d40462257b6ce038bad3f7bf4a45c46c46086e20a94b39
+example.test.	3600	IN	RRSIG	DS 8 2 3600 20201116135527 20201019135527 1444 test. P7+FTYW2qHuJ4I1YbuvseEz5X1lOYAraGEHB3C5y0OOCQFmhmSiFRdquNi2NlpcS6FXLdsE0EU+Bo1+0atTG4EkMWXbpF21lrtbB51BdsnlX4Mzc/o375fvjiOMwmF6wPCUaOUN62jrVrhsE/hedaVyDphDToqL17ETohwgUO2I=
+SECTION ADDITIONAL
+ns.example.test. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.test.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.test. IN NS
+SECTION ANSWER
+example.test.    IN NS   ns.example.test.
+example.test.	3600	IN	RRSIG	NS 8 2 3600 20201116135527 20201019135527 55567 example.test. l1JT0wMlK0YI7/CWHzexf/k0iafUhCgN+BdgjBXIRXmSQNf4HDTiAkbcWL2/15qtnp12nQy9JeiTdSQ3vtPoHAJX4C5uTWaze4ms+Wrrf+n92sLCjacP9x50uuicH3URT6cKb1QCAPwlvlWxIlZjAMYFScSns7+C441NMJT8aE4=
+SECTION ADDITIONAL
+ns.example.test.         IN      A       1.2.3.4
+ns.example.test.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55567 example.test. 2PWaVaccZFQgfPKXNsdEGYUVaashCAj1ZhBo9XRt5eQKUFvZcauBjMnXIuxZFyWeootn1fZGw6GuPI5W48Y0FDx38H6adprkFgQikso2Y64jDdDMWznSo38Z/XqP+U0+kq4vmwonvmEMpm7hKnNEXvhqGKyGzyBwb+CZVJ2L8Eo=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.test. IN A
+SECTION ANSWER
+ns.example.test.         IN      A       1.2.3.4
+ns.example.test.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55567 example.test. 2PWaVaccZFQgfPKXNsdEGYUVaashCAj1ZhBo9XRt5eQKUFvZcauBjMnXIuxZFyWeootn1fZGw6GuPI5W48Y0FDx38H6adprkFgQikso2Y64jDdDMWznSo38Z/XqP+U0+kq4vmwonvmEMpm7hKnNEXvhqGKyGzyBwb+CZVJ2L8Eo=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.test. IN AAAA
+SECTION AUTHORITY
+example.test. 3600 IN SOA ns.example.test. host.example.test. 20301 3600 1800 604800 3600
+example.test.	3600	IN	RRSIG	SOA 8 2 3600 20201116135527 20201019135527 55567 example.test. 2UUkScBAN37fJpSrelhE8DotKvmOzj3q9wicaanCIaCv95DE4nQnePih5B+ek3FIRjB/Uv2+z4Ro5Uxy94XAnlK0rCkDLSa0U9U7KP0ytc88sevO0x1SCPAMoZoJO6JqHkv42pdh54WSz+Zb/D8npY0j/tksHe/uX+VQnMymgb8=
+ns.example.test. 3600 IN NSEC nz.example.test. A RRSIG
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.test. IN DNSKEY
+SECTION ANSWER
+example.test.	3600	IN	DNSKEY	257 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55567 (ksk), size = 1024b}
+example.test.	3600	IN	RRSIG	DNSKEY 8 2 3600 20201116135527 20201019135527 55567 example.test. IbWMC6quOuZFNPAVxQLqCJ9nLhindBo826rnLcg5yMgs9dGUSPOCXAfHTmbgJAUNs9HTFfrJWNvasnETs0UOpmEuifGwWdH1OlME7Gny4RL2QmITUFeMW81Jz1tiVQxFXl6yxT0jxOxvz+bqMHlrz+8IeWQXcO+GZTPu8ueq30g=
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.test. IN A
+SECTION ANSWER
+www.example.test.	3600	IN	A	10.20.30.40
+www.example.test.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55567 example.test. OQEgDcpez8Bvdwd+hxA3v63FWJhutWkv9w+k+8RLcWv34WPhebsf7CBV74ggY2c+HafvYiuIFfhdF5CX28YQjxqWVzFgE6bEA6spPc6qdHiQaY/096/4SLCDcL+2EtOqcR/uZGj5uNhhaCJ9UjscBKfEZmHUOAMXKmjsvl0I/+I=
+www.example.test.	3600	IN	CNAME	tgt.example.test.
+www.example.test.	3600	IN	RRSIG	CNAME 8 3 3600 20201116135527 20201019135527 55567 example.test. hbJ/74XR/5S9KJ36xi5eXTV9Qmx9RTkVpkuN3sFJb2cRbkqSSv8VhMhbePh/XbGQCaVvPoTRrKMASf5Nkn2x1LX378cFdnn1p2+85Q9AYjc6oAcvGh2NNBEh/F6UA3nzCHI6S++QlyQFNUKwuAnrg/9g9nE6BdVC3rL0pKSEWPU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www2.example.test. IN A
+SECTION ANSWER
+www2.example.test.	3600	IN	CNAME	tgt2.example.test.
+www2.example.test.	3600	IN	RRSIG	CNAME 8 3 3600 20201116135527 20201019135527 55567 example.test. LOs6t3W5DExcLi17Zysn0Iw4dFl/G0gUMvLDtLZh/Vq7QNGFZ/EI55hUkiELI0HTyCHW2z/5MbGk3mLfStGBrNaTbZTSUxkUnxKI+eaEReWXPepEALea4Isf5KYxj1HyrhWcjI3CQp9+ALjZWtI63fVf64mdiu2hAAMIVt7GiGU=
+www2.example.test.	3600	IN	A	10.20.30.42
+www2.example.test.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55567 example.test. tbNIBmCBc1WeNrgG2aXc+g/T73iRKteVWrhHf4w/9EBr7bVW0K0Lt7oewg5LvWMmJwhEef54Er3SxoVsxwFWnUavJqVymv55EMp0fkFv7Fiud8Q3CBwi19h2x5T0upNadHkKFKo1FGjs3jasaPHcV3MLU0uxTUaIJZ9v4GY8HlU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+tgt.example.test. IN A
+SECTION ANSWER
+tgt.example.test.	3600	IN	A	10.20.30.44
+tgt.example.test.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55567 example.test. NuTUOwgit91nOEVd4OrA0WdfMzwkRQBgFdgHkv65+MVkjBBI8MzDrgmrJykwNfhjOetsUU7/ON1rABPCNbdaGFwXjDAghukNxCiN+vAGk+dMgG6JVI/mDDJaC9MdJpBGBEWOnF1yB66aLENIhNYoiYyn9aAc79MfVh/1bu5by9E=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+tgt2.example.test. IN A
+SECTION ANSWER
+tgt2.example.test.	3600	IN	A	10.20.30.45
+tgt2.example.test.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55567 example.test. W1fB3ZFbW5nLDgVEeyvlD/SFBWudR32ELh0JOlyC3kN/ZVGrJvEH7QQCvuJ0KuXgjcio2uxNSCXeVoYP8AyiCdL/ji+MAy3y+YvRWSEAVqhIebKlr5zOWtAscNBnMxenpmkd23jrIIHMQepfv4jvQue73Lb2+url/RJtNcsRaio=
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.test. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www.example.test. IN A
+SECTION ANSWER
+www.example.test.	3600	IN	A	10.20.30.40
+www.example.test.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55567 example.test. OQEgDcpez8Bvdwd+hxA3v63FWJhutWkv9w+k+8RLcWv34WPhebsf7CBV74ggY2c+HafvYiuIFfhdF5CX28YQjxqWVzFgE6bEA6spPc6qdHiQaY/096/4SLCDcL+2EtOqcR/uZGj5uNhhaCJ9UjscBKfEZmHUOAMXKmjsvl0I/+I=
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www2.example.test. IN A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www2.example.test. IN A
+SECTION ANSWER
+www2.example.test.	3600	IN	CNAME	tgt2.example.test.
+www2.example.test.	3600	IN	RRSIG	CNAME 8 3 3600 20201116135527 20201019135527 55567 example.test. LOs6t3W5DExcLi17Zysn0Iw4dFl/G0gUMvLDtLZh/Vq7QNGFZ/EI55hUkiELI0HTyCHW2z/5MbGk3mLfStGBrNaTbZTSUxkUnxKI+eaEReWXPepEALea4Isf5KYxj1HyrhWcjI3CQp9+ALjZWtI63fVf64mdiu2hAAMIVt7GiGU=
+tgt2.example.test.	3600	IN	A	10.20.30.45
+tgt2.example.test.	3600	IN	RRSIG	A 8 3 3600 20201116135527 20201019135527 55567 example.test. W1fB3ZFbW5nLDgVEeyvlD/SFBWudR32ELh0JOlyC3kN/ZVGrJvEH7QQCvuJ0KuXgjcio2uxNSCXeVoYP8AyiCdL/ji+MAy3y+YvRWSEAVqhIebKlr5zOWtAscNBnMxenpmkd23jrIIHMQepfv4jvQue73Lb2+url/RJtNcsRaio=
+ENTRY_END
+
+SCENARIO_END