From: Yorgos Thessalonikefs Date: Fri, 13 Mar 2026 10:28:32 +0000 (+0100) Subject: - Fix to ignore out-of-zone DNAME records for CNAME synthesis. Thanks X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4672fa5b5347677c034a81314ef82ccec8f950c0;p=thirdparty%2Funbound.git - Fix to ignore out-of-zone DNAME records for CNAME synthesis. Thanks to Yuxiao Wu, Yiyi Wang, Zhang Chao, Baojun Liu, and Haixin Duan from Tsinghua University. --- diff --git a/doc/Changelog b/doc/Changelog index e24e55557..b8252d7e4 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +13 March 2026: Yorgos + - Fix to ignore out-of-zone DNAME records for CNAME synthesis. Thanks + to Yuxiao Wu, Yiyi Wang, Zhang Chao, Baojun Liu, and Haixin Duan from + Tsinghua University. + 9 March 2026: Wouter - Fix compile failure in unbound-checkconf for older gcc compiler. - Merge #1418: Apply cache TTL policy to DNAME and synthesized diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index 147b1f05c..757d95a3d 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -466,8 +466,9 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, pkt, msg, prev, &rrset); continue; } - if(rrset->type == LDNS_RR_TYPE_DNAME && - pkt_strict_sub(pkt, sname, rrset->dname)) { + if(rrset->type == LDNS_RR_TYPE_DNAME && + pkt_strict_sub(pkt, sname, rrset->dname) && + pkt_sub(pkt, rrset->dname, zonename)) { /* check if next rrset is correct CNAME. else, * synthesize a CNAME */ struct rrset_parse* nx = rrset->rrset_all_next; @@ -534,7 +535,8 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, if(nx && nx->section == LDNS_SECTION_ANSWER && nx->type == LDNS_RR_TYPE_DNAME && nx->rr_count == 1 && - pkt_strict_sub(pkt, sname, nx->dname)) { + pkt_strict_sub(pkt, sname, nx->dname) && + pkt_sub(pkt, nx->dname, zonename)) { /* there is a DNAME after this CNAME, it * is in the ANSWER section, and the DNAME * applies to the name we cover */ diff --git a/testdata/iter_scrub_dname_out_of_zone.rpl b/testdata/iter_scrub_dname_out_of_zone.rpl new file mode 100644 index 000000000..8dbafdf72 --- /dev/null +++ b/testdata/iter_scrub_dname_out_of_zone.rpl @@ -0,0 +1,122 @@ +; config options +server: + harden-referral-path: no + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + iter-scrub-promiscuous: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test scrub of out-of-zone DNAME in answer section + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +x.y.example.com. IN A +ENTRY_END + +; root prime is sent +STEP 20 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +. IN NS +ENTRY_END +STEP 30 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +; query sent to root server +STEP 40 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +x.y.example.com. IN A +ENTRY_END +STEP 50 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +x.y.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +; query sent to .com server +STEP 60 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +x.y.example.com. IN A +ENTRY_END + +STEP 70 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +x.y.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns1.example.com. +SECTION ADDITIONAL +ns1.example.com. IN A 168.192.2.2 +ENTRY_END + +STEP 80 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +x.y.example.com. IN A +ENTRY_END + +STEP 90 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +x.y.example.com. IN A +SECTION ANSWER +com. DNAME z.example.com. +SECTION AUTHORITY +example.com. IN NS ns1.example.com. +SECTION ADDITIONAL +ns1.example.com. IN A 168.192.2.2 +ENTRY_END + +; answer to first query +; nodata answer since the DNAME is ignored for synthesis and scrubbed +; all together. +STEP 120 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA +SECTION QUESTION +x.y.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns1.example.com. +SECTION ADDITIONAL +ns1.example.com. IN A 168.192.2.2 +ENTRY_END + +SCENARIO_END