To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.
(cherry picked from commit
fa153f791f9324bf84abf8d259e11c0531fe6e25)
dns_message_currentname(rctx->query->rmessage,
DNS_SECTION_AUTHORITY, &name);
- if (!name_external(name, dns_rdatatype_ns, fctx)) {
+ if (!name_external(name, dns_rdatatype_ns, fctx) &&
+ dns_name_issubdomain(fctx->name, name))
+ {
dns_rdataset_t *rdataset = NULL;
/*
projects / thirdparty / bind9.git / commitdiff
