Reject referrals from global forwarders

Reject referrals from root/global forwarders, where there is no narrower
forward-zone apex for name_external() to enforce.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 13e11e0ae45d76fd83f6cae866ef459ac31110a5..d61bd76f6795354b398364732ba02d5ecb2d43fb 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9439,6 +9439,19 @@ rctx_referral(respctx_t *rctx) {
                return ISC_R_COMPLETE;
        }
 
+       /*
+        * If a global forwarder is in use, we don't want to cache its
+        * referrals. Dual-stack alternates are not treated as forwarders for
+        * namespace checks, even if their address info uses the forwarder flag.
+        */
+       if (ISFORWARDER(fctx->addrinfo) && !ISDUALSTACK(fctx->addrinfo) &&
+           dns_name_equal(fctx->fwdname, dns_rootname))
+       {
+               log_formerr(fctx, "referral from global forwarder");
+               rctx->result = DNS_R_FORMERR;
+               return ISC_R_COMPLETE;
+       }
+
        /*
         * We already know ns_name is a subdomain of fctx->domain.
         * If ns_name is equal to fctx->domain, we're not making