From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 22 Sep 2025 09:44:12 +0000 (+0200)
Subject: More strict validation of the relation between qname, rname and authname for NS records
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=53c598698720d4ce4abb69a0bb5fb4a4edf530be;p=thirdparty%2Fpdns.git

More strict validation of the relation between qname, rname and authname for NS records

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---

diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc
index 30f0b31d07..1e77cb0ca6 100644
--- a/pdns/recursordist/syncres.cc
+++ b/pdns/recursordist/syncres.cc
@@ -4296,9 +4296,9 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN
         ++skipCount;
         continue;
       }
-      if (rec->d_type == QType::NS && !d_updatingRootNS && rec->d_name == g_rootdnsname) {
+      if (rec->d_type == QType::NS && (!rec->d_name.isPartOf(auth) || (rec->d_name == auth && !d_updatingRootNS) || !qname.isPartOf(rec->d_name))) {
         /*
-         * We don't want to pick up root NS records in AUTHORITY and their associated ADDITIONAL sections of random queries.
+         * We don't want to pick up irrelevant NS records in AUTHORITY and their associated ADDITIONAL sections.
          * So remove them and don't add them to allowedAdditionals.
          */
         LOG(prefix << qname << ": Removing NS record '" << rec->toString() << "' in the AUTHORITY section of a response received from " << auth << endl);