From c64a17848f155ac8aa0e08532f34a316dbc80e82 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 18 Sep 2020 10:02:11 +0200
Subject: [PATCH] auth: backport to 4.3.x: Do not send out of zone lookups to
 the backends

---
 pdns/packethandler.cc | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index d3c3be8885..96d9d8688f 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -472,16 +472,17 @@ int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket& p, std::unique_ptr
       else
         continue;
 
+      if(!lookup.isPartOf(soadata.qname)) {
+        continue;
+      }
+
       B.lookup(QType(d_doIPv6AdditionalProcessing ? QType::ANY : QType::A), lookup, soadata.domain_id, &p);
 
       while(B.get(rr)) {
         if(rr.dr.d_type != QType::A && rr.dr.d_type!=QType::AAAA)
           continue;
-        if(!rr.dr.d_name.isPartOf(soadata.qname)) {
-          // FIXME we might still pass on the record if it is occluded and the
-          // backend uses a single id for all zones
-          continue;
-        }
+        // FIXME we might still pass on the record if it is occluded and the
+        // backend uses a single id for all zones
         rr.dr.d_place=DNSResourceRecord::ADDITIONAL;
         toAdd.push_back(rr);
       }
-- 
2.47.2