From c4387ecd816ed9b16e471a9df5f1138d96f51716 Mon Sep 17 00:00:00 2001
From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
Date: Sun, 16 May 2021 00:10:59 +0200
Subject: [PATCH] getAuth: abort if backend returned wrong SOA for cached
 domain

---
 pdns/ueberbackend.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pdns/ueberbackend.cc b/pdns/ueberbackend.cc
index 9dd1bcc6c6..d234e689b9 100644
--- a/pdns/ueberbackend.cc
+++ b/pdns/ueberbackend.cc
@@ -366,6 +366,9 @@ bool UeberBackend::getAuth(const DNSName &target, const QType& qtype, SOAData* s
           g_log << Logger::Info << "Backend returned no SOA for domain '" << shorter.toLogString() << "', which it reported as existing " << endl;
           return false;
         }
+        if (zr.dr.d_name != shorter) {
+          throw PDNSException("getAuth() returned an SOA for the wrong zone. Zone '"+zr.dr.d_name.toLogString()+"' is not equal to looked up zone '"+shorter.toLogString()+"'");
+        }
         sd->qname = zr.dr.d_name;
         fillSOAData(zr, *sd);
         // leave database handle in a consistent state
-- 
2.47.2