From: Alessio Podda <alessio@isc.org>
Date: Thu, 7 May 2026 11:34:20 +0000 (+0200)
Subject: Reject external referrals from forwarders
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d638eeda885d7c2beaf0103ece1a52384b9f3e7;p=thirdparty%2Fbind9.git

Reject external referrals from forwarders

Apply the existing name_external() bailiwick check to NS RRsets
processed as referrals in rctx_authority_negative(), and enforce the
same check again in rctx_referral() before caching or following the
delegation.

Also reject referrals from root/global forwarders, where there is no
narrower forward-zone apex for name_external() to enforce.

This prevents a forward-first forwarder from installing a parent
zone-cut above the configured forward zone via an authority-section NS
RRset.
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 258b8bf076c..dc39d5242bc 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9205,6 +9205,10 @@ rctx_authority_negative(respctx_t *rctx) {
 
 			switch (type) {
 			case dns_rdatatype_ns:
+				if (name_external(name, dns_rdatatype_ns, rctx))
+				{
+					continue;
+				}
 				/*
 				 * NS or RRSIG NS.
 				 *
@@ -9387,6 +9391,20 @@ rctx_referral(respctx_t *rctx) {
 		return ISC_R_SUCCESS;
 	}
 
+	if (name_external(rctx->ns_name, dns_rdatatype_ns, rctx)) {
+		log_formerr(fctx, "external referral");
+		rctx->result = DNS_R_FORMERR;
+		return ISC_R_COMPLETE;
+	}
+
+	if (ISFORWARDER(fctx->addrinfo) &&
+	    dns_name_equal(fctx->fwdname, dns_rootname))
+	{
+		log_formerr(fctx, "referral from global forwarder");
+		rctx->result = DNS_R_FORMERR;
+		return ISC_R_COMPLETE;
+	}
+
 	/*
 	 * We already know ns_name is a subdomain of fctx->domain.
 	 * If ns_name is equal to fctx->domain, we're not making