From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 18 May 2026 15:41:32 +0000 (+0200)
Subject: Don't remove corresponding RRSIG in the same loop
X-Git-Tag: v9.21.23~51^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1abd977f4313f4ce3ff3dd6c5401fccb05f321e2;p=thirdparty%2Fbind9.git

Don't remove corresponding RRSIG in the same loop

The dns_db_deleterdataset() removing the corresponding signature
within the iterator is wrong, because it mutates an rdataset
that is not the current one.
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 7095143dd3a..a8d15b57ae3 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5594,30 +5594,34 @@ evict_cname_other(fetchctx_t *fctx, dns_name_t *name) {
 	DNS_RDATASETITER_FOREACH(rdsiter) {
 		dns_rdataset_t rdataset = DNS_RDATASET_INIT;
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type == dns_rdatatype_nsec ||
-		    rdataset.type == dns_rdatatype_nxt ||
-		    rdataset.type == dns_rdatatype_key)
-		{
-			/* KEY, NSEC and NXT records are allowed */
+
+		if (NEGATIVE(&rdataset)) {
+			/* Keep all negative entries */
 			dns_rdataset_disassociate(&rdataset);
 			continue;
 		}
-		if (dns_rdatatype_issig(rdataset.type)) {
-			/* Signatures will be deleted together below */
+
+		dns_typepair_t typepair = DNS_TYPEPAIR_VALUE(rdataset.type,
+							     rdataset.covers);
+		switch (typepair) {
+		/* KEY, NSEC and NXT records are allowed */
+		case DNS_TYPEPAIR(dns_rdatatype_nsec):
+		case DNS_TYPEPAIR(dns_rdatatype_nxt):
+		case DNS_TYPEPAIR(dns_rdatatype_key):
+		case DNS_SIGTYPEPAIR(dns_rdatatype_nsec):
+		case DNS_SIGTYPEPAIR(dns_rdatatype_nxt):
+		case DNS_SIGTYPEPAIR(dns_rdatatype_key):
+		/* Keep the CNAME and its signature */
+		case DNS_TYPEPAIR(dns_rdatatype_cname):
+		case DNS_SIGTYPEPAIR(dns_rdatatype_cname):
 			dns_rdataset_disassociate(&rdataset);
 			continue;
-		}
-		if (rdataset.type == dns_rdatatype_none) {
-			/* Negative type. */
+		default:
+			/* Evict everything else */
+			dns_db_deleterdataset(fctx->cache, node, NULL,
+					      rdataset.type, rdataset.covers);
 			dns_rdataset_disassociate(&rdataset);
-			continue;
 		}
-
-		dns_db_deleterdataset(fctx->cache, node, NULL, rdataset.type,
-				      0);
-		dns_db_deleterdataset(fctx->cache, node, NULL,
-				      dns_rdatatype_rrsig, rdataset.type);
-		dns_rdataset_disassociate(&rdataset);
 	}
 
 	dns_rdatasetiter_destroy(&rdsiter);