From: Alessio Podda <alessio@isc.org>
Date: Tue, 16 Jun 2026 10:08:23 +0000 (+0200)
Subject: Reject referrals from global forwarders
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=18f4db8f1baec373d04a97cd79e3da3a3bba48e5;p=thirdparty%2Fbind9.git

Reject referrals from global forwarders

Reject referrals from root/global forwarders, where there is no narrower
forward-zone apex for name_external() to enforce.
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 13e11e0ae45..d61bd76f679 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9439,6 +9439,19 @@ rctx_referral(respctx_t *rctx) {
 		return ISC_R_COMPLETE;
 	}
 
+	/*
+	 * If a global forwarder is in use, we don't want to cache its
+	 * referrals. Dual-stack alternates are not treated as forwarders for
+	 * namespace checks, even if their address info uses the forwarder flag.
+	 */
+	if (ISFORWARDER(fctx->addrinfo) && !ISDUALSTACK(fctx->addrinfo) &&
+	    dns_name_equal(fctx->fwdname, dns_rootname))
+	{
+		log_formerr(fctx, "referral from global forwarder");
+		rctx->result = DNS_R_FORMERR;
+		return ISC_R_COMPLETE;
+	}
+
 	/*
 	 * We already know ns_name is a subdomain of fctx->domain.
 	 * If ns_name is equal to fctx->domain, we're not making