From: Mark Andrews <marka@isc.org>
Date: Thu, 20 Jan 2022 23:52:02 +0000 (+1100)
Subject: Check that the forward declaration is unchanged and not overridden
X-Git-Tag: v9.16.27~3^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=52d918c315e55475df1c080be9d4d7cfd395f835;p=thirdparty%2Fbind9.git

Check that the forward declaration is unchanged and not overridden

If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 2f67aba873d..37411573445 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7130,7 +7130,31 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
 static inline bool
 name_external(const dns_name_t *name, fetchctx_t *fctx) {
 	if (ISFORWARDER(fctx->addrinfo)) {
-		return (!dns_name_issubdomain(name, fctx->fwdname));
+		isc_result_t result;
+		dns_fixedname_t fixed;
+		dns_forwarders_t *forwarders = NULL;
+		dns_name_t *fname;
+
+		if (!dns_name_issubdomain(name, fctx->fwdname)) {
+			return (true);
+		}
+
+		/*
+		 * Is there a child forwarder declaration that is better?
+		 * This lookup should always succeed if the configuration
+		 * has not changed.
+		 */
+		fname = dns_fixedname_initname(&fixed);
+		result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
+					   &forwarders);
+		if (result == ISC_R_SUCCESS) {
+			return (!dns_name_equal(fname, fctx->fwdname));
+		}
+
+		/*
+		 * Play it safe if the configuration has changed.
+		 */
+		return (true);
 	}
 
 	return (!dns_name_issubdomain(name, &fctx->domain));