From: Mark Andrews <marka@isc.org>
Date: Wed, 18 Feb 2026 23:03:36 +0000 (+1100)
Subject: Return FORMERR for ECS family 0
X-Git-Tag: v9.21.19~20^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=757e503536a0fc036c87da39a4795e917a4380e6;p=thirdparty%2Fbind9.git

Return FORMERR for ECS family 0

RFC 7871 only defines family 1 (IPv4) and 2 (IPv6). Additionally
it requires FORMERR to be returned for all unknown families.
---

diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index 31360dd3424..0c8b99d6567 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -522,10 +522,8 @@ if [ -x "$DIG" ]; then
   echo_i "checking dig +ednsopt=8:00000000 (family=0, source=0, scope=0) ($n)"
   ret=0
   dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example >dig.out.test$n 2>&1 || ret=1
-  grep "status: NOERROR" <dig.out.test$n >/dev/null || ret=1
-  grep "CLIENT-SUBNET: 0/0/0" <dig.out.test$n >/dev/null || ret=1
-  grep "10.0.0.1" <dig.out.test$n >/dev/null || ret=1
-  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  grep "status: FORMERR" <dig.out.test$n >/dev/null || ret=1
+  grep "CLIENT-SUBNET" <dig.out.test$n >/dev/null && ret=1
   if [ $ret -ne 0 ]; then echo_i "failed"; fi
   status=$((status + ret))
 
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 703dc618230..3c42a85bf0d 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -1107,8 +1107,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message) {
 
 	if (((client->inner.attributes & NS_CLIENTATTR_HAVEECS) != 0) &&
 	    (client->inner.ecs.addr.family == AF_INET ||
-	     client->inner.ecs.addr.family == AF_INET6 ||
-	     client->inner.ecs.addr.family == AF_UNSPEC))
+	     client->inner.ecs.addr.family == AF_INET6))
 	{
 		isc_buffer_t buf;
 		uint8_t addr[16];
@@ -1123,10 +1122,6 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message) {
 		addrl = (plen + 7) / 8;
 
 		switch (client->inner.ecs.addr.family) {
-		case AF_UNSPEC:
-			INSIST(plen == 0);
-			family = 0;
-			break;
 		case AF_INET:
 			INSIST(plen <= 32);
 			family = 1;
@@ -1429,23 +1424,6 @@ process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
 
 	memset(&caddr, 0, sizeof(caddr));
 	switch (family) {
-	case 0:
-		/*
-		 * XXXMUKS: In queries, if FAMILY is set to 0, SOURCE
-		 * PREFIX-LENGTH must be 0 and ADDRESS should not be
-		 * present as the address and prefix lengths don't make
-		 * sense because the family is unknown.
-		 */
-		if (addrlen != 0U) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
-				      "EDNS client-subnet option: invalid "
-				      "address length (%u) for FAMILY=0",
-				      addrlen);
-			return DNS_R_OPTERR;
-		}
-		caddr.family = AF_UNSPEC;
-		break;
 	case 1:
 		if (addrlen > 32U) {
 			ns_client_log(client, NS_LOGCATEGORY_CLIENT,