From: Alessio Podda <alessio@isc.org>
Date: Tue, 16 Jun 2026 10:07:49 +0000 (+0200)
Subject: Reject external referrals for forward zones
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=492d11fa39613c41497c9e0b2d6b98bce191ad26;p=thirdparty%2Fbind9.git

Reject external referrals for forward zones

Apply the existing name_external() bailiwick check to NS RRsets
processed as referrals in rctx_authority_negative(), and enforce the
same check again in rctx_referral() before caching or following the
delegation.

This prevents a forward-first forwarder from installing a parent
zone-cut above the configured forward zone via an authority-section
NS RRset.
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 4ad232a1838..13e11e0ae45 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9247,6 +9247,10 @@ rctx_authority_negative(respctx_t *rctx) {
 
 			switch (type) {
 			case dns_rdatatype_ns:
+				if (name_external(name, dns_rdatatype_ns, rctx))
+				{
+					continue;
+				}
 				/*
 				 * NS or RRSIG NS.
 				 *
@@ -9429,6 +9433,12 @@ rctx_referral(respctx_t *rctx) {
 		return ISC_R_SUCCESS;
 	}
 
+	if (name_external(rctx->ns_name, dns_rdatatype_ns, rctx)) {
+		log_formerr(fctx, "external referral");
+		rctx->result = DNS_R_FORMERR;
+		return ISC_R_COMPLETE;
+	}
+
 	/*
 	 * We already know ns_name is a subdomain of fctx->domain.
 	 * If ns_name is equal to fctx->domain, we're not making