From: Ondřej Surý <ondrej@isc.org>
Date: Wed, 20 May 2026 16:28:15 +0000 (+0200)
Subject: Skip DNS64 synthesis when answering a redirected response
X-Git-Tag: v9.21.23~27^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bfd18d08d706218400ba131f6625f6bcd7c47cc;p=thirdparty%2Fbind9.git

Skip DNS64 synthesis when answering a redirected response

redirect2() swaps qctx->db to the redirect zone before
query_nodata() runs. The DNS64 fallback there issues an A lookup
for the original query name, which is out of zone for the
redirect db, and the resulting query_notfound() trips
INSIST(!is_zone). The cached NCACHENXRRSET variant trips a
REQUIRE in dns_rdataset_first() on a disassociated rdataset.
The synth-from-dnssec entry reaches the same fallback via
query_coveringnsec(). Guarding the fallback with
!qctx->redirected leaves the nxdomain-redirect NXRRSET answer to
be served as-is.
---

diff --git a/lib/ns/query.c b/lib/ns/query.c
index b160171935f..ca76df4f3d5 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -8902,6 +8902,7 @@ query_nodata(query_ctx_t *qctx, isc_result_t res) {
 #endif /* ifdef dns64_bis_return_excluded_addresses */
 	} else if ((result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) &&
 		   !ISC_LIST_EMPTY(qctx->view->dns64) && !qctx->nxrewrite &&
+		   !qctx->redirected &&
 		   qctx->client->message->rdclass == dns_rdataclass_in &&
 		   qctx->qtype == dns_rdatatype_aaaa)
 	{