From: Klaus Darilion <klaus.darilion@nic.at>
Date: Fri, 12 Oct 2018 20:20:03 +0000 (+0000)
Subject: during SOA-check response processing make sure to only accept SOA records
X-Git-Tag: auth-4.2.0-alpha1~33^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22880ed9c36fc7f6d83515912b1ccf2fb00bc697;p=thirdparty%2Fpdns.git

during SOA-check response processing make sure to only accept SOA records
if their label is identical to the requested domain.
---

diff --git a/pdns/resolver.cc b/pdns/resolver.cc
index 2d274bff7f..ab3dcad0ce 100644
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -277,14 +277,14 @@ bool Resolver::tryGetSOASerial(DNSName *domain, ComboAddress* remote, uint32_t *
   *theirInception = *theirExpire = 0;
   bool gotSOA=false;
   for(const MOADNSParser::answers_t::value_type& drc :  mdp.d_answers) {
-    if(drc.first.d_type == QType::SOA) {
+    if(drc.first.d_type == QType::SOA && drc.first.d_name == *domain) {
       shared_ptr<SOARecordContent> src=getRR<SOARecordContent>(drc.first);
       if (src) {
         *theirSerial=src->d_st.serial;
         gotSOA = true;
       }
     }
-    if(drc.first.d_type == QType::RRSIG) {
+    if(drc.first.d_type == QType::RRSIG && drc.first.d_name == *domain) {
       shared_ptr<RRSIGRecordContent> rrc=getRR<RRSIGRecordContent>(drc.first);
       if(rrc && rrc->d_type == QType::SOA) {
         *theirInception= std::max(*theirInception, rrc->d_siginception);