From 22880ed9c36fc7f6d83515912b1ccf2fb00bc697 Mon Sep 17 00:00:00 2001
From: Klaus Darilion <klaus.darilion@nic.at>
Date: Fri, 12 Oct 2018 20:20:03 +0000
Subject: [PATCH] during SOA-check response processing make sure to only accept
 SOA records if their label is identical to the requested domain.

---
 pdns/resolver.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdns/resolver.cc b/pdns/resolver.cc
index 2d274bff7f..ab3dcad0ce 100644
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -277,14 +277,14 @@ bool Resolver::tryGetSOASerial(DNSName *domain, ComboAddress* remote, uint32_t *
   *theirInception = *theirExpire = 0;
   bool gotSOA=false;
   for(const MOADNSParser::answers_t::value_type& drc :  mdp.d_answers) {
-    if(drc.first.d_type == QType::SOA) {
+    if(drc.first.d_type == QType::SOA && drc.first.d_name == *domain) {
       shared_ptr<SOARecordContent> src=getRR<SOARecordContent>(drc.first);
       if (src) {
         *theirSerial=src->d_st.serial;
         gotSOA = true;
       }
     }
-    if(drc.first.d_type == QType::RRSIG) {
+    if(drc.first.d_type == QType::RRSIG && drc.first.d_name == *domain) {
       shared_ptr<RRSIGRecordContent> rrc=getRR<RRSIGRecordContent>(drc.first);
       if(rrc && rrc->d_type == QType::SOA) {
         *theirInception= std::max(*theirInception, rrc->d_siginception);
-- 
2.47.2