From: Evan Hunt <each@isc.org>
Date: Tue, 25 Feb 2025 22:41:41 +0000 (-0800)
Subject: set eresult based on the type in ncache_adderesult()
X-Git-Tag: v9.18.36~9^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46e793a3b4e63ff7d4cf941b8a5abc493fd8794d;p=thirdparty%2Fbind9.git

set eresult based on the type in ncache_adderesult()

when the caching of a negative record failed because of the
presence of a positive one, ncache_adderesult() could override
this to ISC_R_SUCCESS. this could cause CNAME and DNAME responses
to be handled incorrectly.  ncache_adderesult() now sets the result
code correctly in such cases.

(cherry picked from commit 1edbbc32b4cca228e05cb9646ad623cf31027a95)
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 3663b5a8469..d67945e9065 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6908,15 +6908,21 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 			}
 		} else {
 			/*
-			 * Either we don't care about the nature of the
-			 * cache rdataset (because no fetch is
-			 * interested in the outcome), or the cache
-			 * rdataset is not a negative cache entry.
-			 * Whichever case it is, we can return success.
-			 *
-			 * XXXRTH  There's a CNAME/DNAME problem here.
+			 * The attempt to add a negative cache entry
+			 * was rejected.  Set *eresultp to reflect
+			 * the type of the dataset being returned.
 			 */
-			*eresultp = ISC_R_SUCCESS;
+			switch (ardataset->type) {
+			case dns_rdatatype_cname:
+				*eresultp = DNS_R_CNAME;
+				break;
+			case dns_rdatatype_dname:
+				*eresultp = DNS_R_DNAME;
+				break;
+			default:
+				*eresultp = ISC_R_SUCCESS;
+				break;
+			}
 		}
 		result = ISC_R_SUCCESS;
 	}