From: W.C.A. Wijngaards Date: Tue, 16 Jun 2026 09:13:47 +0000 (+0200) Subject: - Fix for #1462: Fix that auth primary host name lookup X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d78cb8d9a7bd11ecbc34c5d4c45b329f37298e2;p=thirdparty%2Funbound.git - Fix for #1462: Fix that auth primary host name lookup allows CNAMEs. --- diff --git a/doc/Changelog b/doc/Changelog index de4c07760..a74d61dd9 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -60,6 +60,8 @@ localzone processing, during RPZ qname trigger processing, the RRset retains its previous data correcly. Thanks to Qifan Zhang, Palo Alto Networks, for the report. + - Fix for #1462: Fix that auth primary host name lookup + allows CNAMEs. 15 June 2026: Wouter - Fix to add `max-transfer-size` and `max-transfer-time` that diff --git a/services/authzone.c b/services/authzone.c index 413a4e43f..7e07168da 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -5850,7 +5850,8 @@ xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset, /** check if the lookup target name equals the found answer name. */ static int xfer_target_equals_answer_name(struct auth_master* lookup_target, - struct ub_packed_rrset_key* answer) + struct ub_packed_rrset_key* answer, struct query_info* rq, + struct reply_info* rep) { uint8_t qname[LDNS_MAX_DOMAINLEN+1]; size_t qname_len; @@ -5864,6 +5865,10 @@ xfer_target_equals_answer_name(struct auth_master* lookup_target, } if(query_dname_compare(answer->rk.dname, qname) == 0) return 1; + /* It could be a CNAME. */ + if(reply_find_rrset_section_an(rep, qname, qname_len, + LDNS_RR_TYPE_CNAME, rq->qclass)) + return 1; return 0; } @@ -5898,7 +5903,8 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf, struct ub_packed_rrset_key* answer = reply_find_answer_rrset(&rq, rep); if(answer && xfer_target_equals_answer_name( - xfr->task_transfer->lookup_target, answer)) { + xfr->task_transfer->lookup_target, answer, + &rq, rep)) { xfr_master_add_addrs(xfr->task_transfer-> lookup_target, answer, wanted_qtype); } else if(answer) { @@ -7048,7 +7054,8 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf, struct ub_packed_rrset_key* answer = reply_find_answer_rrset(&rq, rep); if(answer && xfer_target_equals_answer_name( - xfr->task_probe->lookup_target, answer)) { + xfr->task_probe->lookup_target, answer, + &rq, rep)) { xfr_master_add_addrs(xfr->task_probe-> lookup_target, answer, wanted_qtype); } else if(answer) {