Further restrict addresses that are cached when processing referrals

Use the owner name of the NS record as the bailwick apex name
when determining which additional records to cache, rather than
the name of the delegating zone (or a parent thereof).

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 85b8aafaddfcd5e55a9bbb24a3db359f59f625be..7d2823e129173002294c117197f6066fd04502da 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6359,7 +6359,8 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
  * locally served zone.
  */
 static inline bool
-name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+name_external(const dns_name_t *name, dns_rdatatype_t type, respctx_t *rctx) {
+       fetchctx_t *fctx = rctx->fctx;
        isc_result_t result;
        dns_forwarders_t *forwarders = NULL;
        dns_name_t *apex = NULL;
@@ -6369,7 +6370,7 @@ name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
        dns_namereln_t rel;
 
        apex = (ISDUALSTACK(fctx->addrinfo) || !ISFORWARDER(fctx->addrinfo))
-                      ? fctx->domain
+                      ? rctx->ns_name != NULL ? rctx->ns_name : fctx->domain
                       : fctx->fwdname;
 
        /*
@@ -6466,7 +6467,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
        result = dns_message_findname(rctx->query->rmessage, section, addname,
                                      dns_rdatatype_any, 0, &name, NULL);
        if (result == ISC_R_SUCCESS) {
-               external = name_external(name, type, fctx);
+               external = name_external(name, type, rctx);
                if (type == dns_rdatatype_a) {
                        ISC_LIST_FOREACH(name->list, rdataset, link) {
                                if (dns_rdatatype_issig(rdataset->type)) {
@@ -8152,7 +8153,7 @@ rctx_answer_scan(respctx_t *rctx) {
                        /*
                         * Don't accept DNAME from parent namespace.
                         */
-                       if (name_external(name, dns_rdatatype_dname, fctx)) {
+                       if (name_external(name, dns_rdatatype_dname, rctx)) {
                                continue;
                        }
 
@@ -8445,7 +8446,7 @@ rctx_authority_positive(respctx_t *rctx) {
 
        dns_message_t *msg = rctx->query->rmessage;
        MSG_SECTION_FOREACH(msg, DNS_SECTION_AUTHORITY, name) {
-               if (!name_external(name, dns_rdatatype_ns, fctx) &&
+               if (!name_external(name, dns_rdatatype_ns, rctx) &&
                    dns_name_issubdomain(fctx->name, name))
                {
                        /*