Reject external referrals from forwarders

Apply the existing name_external() bailiwick check to NS RRsets
processed as referrals in rctx_authority_negative(), and enforce the
same check again in rctx_referral() before caching or following the
delegation.

Also reject referrals from root/global forwarders, where there is no
narrower forward-zone apex for name_external() to enforce.

This prevents a forward-first forwarder from installing a parent
zone-cut above the configured forward zone via an authority-section NS
RRset.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 258b8bf076cbf7c703f62eb26084b3fe4b18a9c3..dc39d5242bc56dae39035311df1ca803891e2a9a 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9205,6 +9205,10 @@ rctx_authority_negative(respctx_t *rctx) {
 
                        switch (type) {
                        case dns_rdatatype_ns:
+                               if (name_external(name, dns_rdatatype_ns, rctx))
+                               {
+                                       continue;
+                               }
                                /*
                                 * NS or RRSIG NS.
                                 *
@@ -9387,6 +9391,20 @@ rctx_referral(respctx_t *rctx) {
                return ISC_R_SUCCESS;
        }
 
+       if (name_external(rctx->ns_name, dns_rdatatype_ns, rctx)) {
+               log_formerr(fctx, "external referral");
+               rctx->result = DNS_R_FORMERR;
+               return ISC_R_COMPLETE;
+       }
+
+       if (ISFORWARDER(fctx->addrinfo) &&
+           dns_name_equal(fctx->fwdname, dns_rootname))
+       {
+               log_formerr(fctx, "referral from global forwarder");
+               rctx->result = DNS_R_FORMERR;
+               return ISC_R_COMPLETE;
+       }
+
        /*
         * We already know ns_name is a subdomain of fctx->domain.
         * If ns_name is equal to fctx->domain, we're not making