Tighten restrictions on caching NS RRsets in authority section

To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 61ec6191f6689ee028e8084cdbe49d937d7d07b9..85b8aafaddfcd5e55a9bbb24a3db359f59f625be 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8435,8 +8435,8 @@ rctx_answer_dname(respctx_t *rctx) {
  * section to be subdomains of the domain being queried; any that are
  * not are skipped.  We expect to find only *one* owner name; any names
  * after the first one processed are ignored. We expect to find only
- * rdatasets of type NS, RRSIG, or SIG; all others are ignored. Whatever
- * remains can be cached at trust level authauthority or additional
+ * rdatasets of type NS; all others are ignored. Whatever remains can
+ * be cached at trust level authauthority or additional
  * (depending on whether the AA bit was set on the answer).
  */
 static void
@@ -8445,7 +8445,9 @@ rctx_authority_positive(respctx_t *rctx) {
 
        dns_message_t *msg = rctx->query->rmessage;
        MSG_SECTION_FOREACH(msg, DNS_SECTION_AUTHORITY, name) {
-               if (!name_external(name, dns_rdatatype_ns, fctx)) {
+               if (!name_external(name, dns_rdatatype_ns, fctx) &&
+                   dns_name_issubdomain(fctx->name, name))
+               {
                        /*
                         * We expect to find NS or SIG NS rdatasets, and
                         * nothing else.