/* Authority MUST be at/below the authority of the nameserver, otherwise
* possible cache injection attempt. */
if (!knot_dname_in(cut->name, rr->owner)) {
- DEBUG_MSG("<= authority: ns outside bailiwick, rejecting\n");
- return KNOT_STATE_FAIL;
+ DEBUG_MSG("<= authority: ns outside bailiwick, ignoring\n");
+ return state;
}
/* Update zone cut name */
}
/** Cache stub nameservers. */
-static int write_cache_authority(knot_pkt_t *pkt, struct kr_cache_txn *txn, mm_ctx_t *pool, uint32_t timestamp)
+static int write_cache_authority(struct kr_zonecut *cut, knot_pkt_t *pkt, struct kr_cache_txn *txn, mm_ctx_t *pool, uint32_t timestamp)
{
knot_rrset_t glue_rr = { NULL, 0, 0 };
knot_rrset_t cache_rr = { NULL, 0, 0 };
for (unsigned i = 0; i < ns->count; ++i) {
const knot_rrset_t *rr = knot_pkt_rr(ns, i);
if (rr->type == KNOT_RRTYPE_NS) {
+ /* Cache in-bailiwick data only */
+ if (!knot_dname_in(cut->name, rr->owner)) {
+ return KNOT_ENOENT;
+ }
/* Cache glue (if contains) */
for (unsigned i = 0; i < sizeof(type_list)/sizeof(uint16_t); ++i) {
knot_dname_t *owner = (knot_dname_t *)knot_ns_name(&rr->rrs, 0);
ret = write_cache_answer(pkt, &txn, pool, timestamp);
}
if (ret == KNOT_EOK) {
- ret = write_cache_authority(pkt, &txn, pool, timestamp);
+ ret = write_cache_authority(&query->zone_cut, pkt, &txn, pool, timestamp);
}
/* Cache full, do what we must. */