From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 18 Sep 2020 08:02:11 +0000 (+0200)
Subject: auth: backport to 4.3.x: Do not send out of zone lookups to the backends
X-Git-Tag: auth-4.3.1~1^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F9480%2Fhead;p=thirdparty%2Fpdns.git

auth: backport to 4.3.x: Do not send out of zone lookups to the backends
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index d3c3be8885..96d9d8688f 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -472,16 +472,17 @@ int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket& p, std::unique_ptr
       else
         continue;
 
+      if(!lookup.isPartOf(soadata.qname)) {
+        continue;
+      }
+
       B.lookup(QType(d_doIPv6AdditionalProcessing ? QType::ANY : QType::A), lookup, soadata.domain_id, &p);
 
       while(B.get(rr)) {
         if(rr.dr.d_type != QType::A && rr.dr.d_type!=QType::AAAA)
           continue;
-        if(!rr.dr.d_name.isPartOf(soadata.qname)) {
-          // FIXME we might still pass on the record if it is occluded and the
-          // backend uses a single id for all zones
-          continue;
-        }
+        // FIXME we might still pass on the record if it is occluded and the
+        // backend uses a single id for all zones
         rr.dr.d_place=DNSResourceRecord::ADDITIONAL;
         toAdd.push_back(rr);
       }