Tighten restrictions on caching NS RRsets in authority section

To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.

(cherry picked from commit fa153f791f9324bf84abf8d259e11c0531fe6e25)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 737f83cdbf50e3a52967bd7869d7de24ce1eb6ba..7a2768c1416926f3e03633af4eff1c99a6017685 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9243,7 +9243,9 @@ rctx_authority_positive(respctx_t *rctx) {
                dns_message_currentname(rctx->query->rmessage,
                                        DNS_SECTION_AUTHORITY, &name);
 
-               if (!name_external(name, dns_rdatatype_ns, fctx)) {
+               if (!name_external(name, dns_rdatatype_ns, fctx) &&
+                   dns_name_issubdomain(&fctx->name, name))
+               {
                        dns_rdataset_t *rdataset = NULL;
 
                        /*