Check that the forward declaration is unchanged and not overridden

If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 2f67aba873d37e6b1e25737d241be53c9609710f..374115734454e381c4368cdc39cfacce10163c97 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7130,7 +7130,31 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
 static inline bool
 name_external(const dns_name_t *name, fetchctx_t *fctx) {
        if (ISFORWARDER(fctx->addrinfo)) {
-               return (!dns_name_issubdomain(name, fctx->fwdname));
+               isc_result_t result;
+               dns_fixedname_t fixed;
+               dns_forwarders_t *forwarders = NULL;
+               dns_name_t *fname;
+
+               if (!dns_name_issubdomain(name, fctx->fwdname)) {
+                       return (true);
+               }
+
+               /*
+                * Is there a child forwarder declaration that is better?
+                * This lookup should always succeed if the configuration
+                * has not changed.
+                */
+               fname = dns_fixedname_initname(&fixed);
+               result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
+                                          &forwarders);
+               if (result == ISC_R_SUCCESS) {
+                       return (!dns_name_equal(fname, fctx->fwdname));
+               }
+
+               /*
+                * Play it safe if the configuration has changed.
+                */
+               return (true);
        }
 
        return (!dns_name_issubdomain(name, &fctx->domain));