From: Mark Andrews Date: Wed, 9 Jul 2025 23:37:36 +0000 (+1000) Subject: Tighten restrictions on caching NS RRsets in authority section X-Git-Tag: v9.21.14~6^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa153f791f9324bf84abf8d259e11c0531fe6e25;p=thirdparty%2Fbind9.git Tighten restrictions on caching NS RRsets in authority section To prevent certain spoofing attacks, a new check has been added to the existing rules for whether NS data can be cached: the owner name of the NS RRset must be an ancestor of the name being queried. --- diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 61ec6191f66..85b8aafaddf 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -8435,8 +8435,8 @@ rctx_answer_dname(respctx_t *rctx) { * section to be subdomains of the domain being queried; any that are * not are skipped. We expect to find only *one* owner name; any names * after the first one processed are ignored. We expect to find only - * rdatasets of type NS, RRSIG, or SIG; all others are ignored. Whatever - * remains can be cached at trust level authauthority or additional + * rdatasets of type NS; all others are ignored. Whatever remains can + * be cached at trust level authauthority or additional * (depending on whether the AA bit was set on the answer). */ static void @@ -8445,7 +8445,9 @@ rctx_authority_positive(respctx_t *rctx) { dns_message_t *msg = rctx->query->rmessage; MSG_SECTION_FOREACH(msg, DNS_SECTION_AUTHORITY, name) { - if (!name_external(name, dns_rdatatype_ns, fctx)) { + if (!name_external(name, dns_rdatatype_ns, fctx) && + dns_name_issubdomain(fctx->name, name)) + { /* * We expect to find NS or SIG NS rdatasets, and * nothing else.