Tighten restrictions on caching NS RRsets in authority section

To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.

(cherry picked from commit fa153f791f9324bf84abf8d259e11c0531fe6e25)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ed3d0b1b95ff07d5300e3e3daa09f6d7f21b93fa..51687716ef953ea7d8811928a7ffb4fa5c4743ae 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7522,7 +7522,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
        while (!done && result == ISC_R_SUCCESS) {
                name = NULL;
                dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-               if (!name_external(name, dns_rdatatype_ns, fctx)) {
+               if (!name_external(name, dns_rdatatype_ns, fctx) &&
+                   dns_name_issubdomain(&fctx->name, name))
+               {
                        /*
                         * We expect to find NS or SIG NS rdatasets, and
                         * nothing else.