From: Evan Hunt <each@isc.org>
Date: Tue, 30 Sep 2025 04:46:59 +0000 (-0700)
Subject: Tighten restrictions on caching NS RRsets in authority section
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f0f44d493c382a7f0a3adfe7c4976b18a3d480b;p=thirdparty%2Fbind9.git

Tighten restrictions on caching NS RRsets in authority section

To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.

(cherry picked from commit fa153f791f9324bf84abf8d259e11c0531fe6e25)
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 737f83cdbf5..7a2768c1416 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9243,7 +9243,9 @@ rctx_authority_positive(respctx_t *rctx) {
 		dns_message_currentname(rctx->query->rmessage,
 					DNS_SECTION_AUTHORITY, &name);
 
-		if (!name_external(name, dns_rdatatype_ns, fctx)) {
+		if (!name_external(name, dns_rdatatype_ns, fctx) &&
+		    dns_name_issubdomain(&fctx->name, name))
+		{
 			dns_rdataset_t *rdataset = NULL;
 
 			/*