From: Evan Hunt <each@isc.org>
Date: Tue, 30 Sep 2025 05:17:39 +0000 (-0700)
Subject: Tighten restrictions on caching NS RRsets in authority section
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41ab0709d1bde6fb8a2dde623d00e69bc48fab0d;p=thirdparty%2Fbind9.git

Tighten restrictions on caching NS RRsets in authority section

To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.

(cherry picked from commit fa153f791f9324bf84abf8d259e11c0531fe6e25)
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ed3d0b1b95f..51687716ef9 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7522,7 +7522,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
 	while (!done && result == ISC_R_SUCCESS) {
 		name = NULL;
 		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		if (!name_external(name, dns_rdatatype_ns, fctx)) {
+		if (!name_external(name, dns_rdatatype_ns, fctx) &&
+		    dns_name_issubdomain(&fctx->name, name))
+		{
 			/*
 			 * We expect to find NS or SIG NS rdatasets, and
 			 * nothing else.