From: Mark Andrews <marka@isc.org>
Date: Wed, 9 Jul 2025 23:37:36 +0000 (+1000)
Subject: Tighten restrictions on caching NS RRsets in authority section
X-Git-Tag: v9.18.41~6^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=025d61bacd0f57f994a631654aff7a933d89a547;p=thirdparty%2Fbind9.git

Tighten restrictions on caching NS RRsets in authority section

To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.

(cherry picked from commit fa153f791f9324bf84abf8d259e11c0531fe6e25)
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index dc9c5b1c874..eb5d671c8f2 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9247,7 +9247,9 @@ rctx_authority_positive(respctx_t *rctx) {
 		dns_message_currentname(rctx->query->rmessage,
 					DNS_SECTION_AUTHORITY, &name);
 
-		if (!name_external(name, dns_rdatatype_ns, fctx)) {
+		if (!name_external(name, dns_rdatatype_ns, fctx) &&
+		    dns_name_issubdomain(fctx->name, name))
+		{
 			dns_rdataset_t *rdataset = NULL;
 
 			/*