git.ipfire.org Git - thirdparty/bind9.git/commit

author	Ondřej Surý <ondrej@isc.org>
	Thu, 9 Apr 2026 10:06:31 +0000 (12:06 +0200)
committer	Colin Vidal <colin@isc.org>
	Thu, 16 Apr 2026 09:28:13 +0000 (11:28 +0200)
commit	9191dc7acbdf4a6a4a6a06cedad2d90baed0fcee
tree	85679af0e628406376a80455f060d2fb2c316180	tree \| snapshot
parent	764625ee5b4e209a871418462ccda37283b40968	commit \| diff

Fix delegation database NOEXACT lookup for top-level names

dns__deleg_lookup() with DNS_DBFIND_NOEXACT is supposed to return
the deepest proper ancestor of the lookup name.  It called
getparentnode() to step up from an exact match, but getparentnode()
only iterated while the chain length was >= 2.  When the chain
contained a single entry (the exact match itself with no ancestor
stored in the trie), the loop did not execute and left the caller
looking at the exact match.  The subsequent isactive() check then
returned success and the function reported the exact match as the
"deepest ancestor", violating NOEXACT semantics.

This was observable as the resolver picking the child-side
delegation for an at-parent type (e.g. a DS query for a TLD), then
sending the query to the child's own nameservers and recovering via
the "chase DS servers" path.

Have getparentnode() set '*node' to NULL when it cannot find an
active proper ancestor, and make dns__deleg_lookup() NULL-check
before returning, matching the canonical NOEXACT implementation in
dns_zt_find().  Update the deleg unit test to expect NOTFOUND for
the top-level-no-parent case.

lib/dns/deleg.c		diff \| blob \| blame \| history
tests/dns/deleg_test.c		diff \| blob \| blame \| history