Reject external referrals for forward zones

Apply the existing name_external() bailiwick check to NS RRsets
processed as referrals in rctx_authority_negative(), and enforce the
same check again in rctx_referral() before caching or following the
delegation.

This prevents a forward-first forwarder from installing a parent
zone-cut above the configured forward zone via an authority-section
NS RRset.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 4ad232a1838fcfd759959d1f584b4b590bb87e16..13e11e0ae45d76fd83f6cae866ef459ac31110a5 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9247,6 +9247,10 @@ rctx_authority_negative(respctx_t *rctx) {
 
                        switch (type) {
                        case dns_rdatatype_ns:
+                               if (name_external(name, dns_rdatatype_ns, rctx))
+                               {
+                                       continue;
+                               }
                                /*
                                 * NS or RRSIG NS.
                                 *
@@ -9429,6 +9433,12 @@ rctx_referral(respctx_t *rctx) {
                return ISC_R_SUCCESS;
        }
 
+       if (name_external(rctx->ns_name, dns_rdatatype_ns, rctx)) {
+               log_formerr(fctx, "external referral");
+               rctx->result = DNS_R_FORMERR;
+               return ISC_R_COMPLETE;
+       }
+
        /*
         * We already know ns_name is a subdomain of fctx->domain.
         * If ns_name is equal to fctx->domain, we're not making