- Fix that auth-zone, and RPZ zones, do not allow out-of-zone

  records. These are records that are not under the zone apex.
  The out-of-zone records are dropped from the zone contents.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.

diff --git a/doc/Changelog b/doc/Changelog
index 5ece54024694d238675b20e12b74262e82c08cfb..2ab026031172f882d6df662cff0693adee6b1a73 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -11,6 +11,10 @@
        - Fix that a half-written trust anchor file does not crash
          the server at runtime. It unlinks a wrong file from the list.
          Thanks to Qifan Zhang, Palo Alto Networks, for the report.
+       - Fix that auth-zone, and RPZ zones, do not allow out-of-zone
+         records. These are records that are not under the zone apex.
+         The out-of-zone records are dropped from the zone contents.
+         Thanks to Qifan Zhang, Palo Alto Networks, for the report.
 
 15 June 2026: Wouter
        - Fix to add `max-transfer-size` and `max-transfer-time` that

diff --git a/services/authzone.c b/services/authzone.c
index b17cc860281b9e94e971a8c558040971aa7bd99e..6a5d6980c5d9b21f222b93a1d5a15aeadd23eff8 100644 (file)
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -1188,6 +1188,15 @@ az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
                log_err("malformed AAAA record");
                return 0;
        }
+       if(!dname_subdomain_c(dname, z->name)) {
+               char nm[LDNS_MAX_DOMAINLEN], zn[LDNS_MAX_DOMAINLEN];
+               dname_str(dname, nm);
+               dname_str(z->name, zn);
+               verbose(VERB_ALGO, "auth-zone %s: dropping out-of-zone RR "
+                       "%s", zn, nm);
+               if(duplicate) *duplicate=1; /* treat as bad insert */
+               return 1;
+       }
        if(!(node=az_domain_find_or_create(z, dname, dname_len))) {
                log_err("cannot create domain");
                return 0;