From: W.C.A. Wijngaards Date: Tue, 16 Jun 2026 07:48:10 +0000 (+0200) Subject: - Fix that auth-zone, and RPZ zones, do not allow out-of-zone X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f9b6db7bed5d67267d14ebe5c7613e620643677;p=thirdparty%2Funbound.git - Fix that auth-zone, and RPZ zones, do not allow out-of-zone records. These are records that are not under the zone apex. The out-of-zone records are dropped from the zone contents. Thanks to Qifan Zhang, Palo Alto Networks, for the report. --- diff --git a/doc/Changelog b/doc/Changelog index 5ece54024..2ab026031 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -11,6 +11,10 @@ - Fix that a half-written trust anchor file does not crash the server at runtime. It unlinks a wrong file from the list. Thanks to Qifan Zhang, Palo Alto Networks, for the report. + - Fix that auth-zone, and RPZ zones, do not allow out-of-zone + records. These are records that are not under the zone apex. + The out-of-zone records are dropped from the zone contents. + Thanks to Qifan Zhang, Palo Alto Networks, for the report. 15 June 2026: Wouter - Fix to add `max-transfer-size` and `max-transfer-time` that diff --git a/services/authzone.c b/services/authzone.c index b17cc8602..6a5d6980c 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -1188,6 +1188,15 @@ az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len, log_err("malformed AAAA record"); return 0; } + if(!dname_subdomain_c(dname, z->name)) { + char nm[LDNS_MAX_DOMAINLEN], zn[LDNS_MAX_DOMAINLEN]; + dname_str(dname, nm); + dname_str(z->name, zn); + verbose(VERB_ALGO, "auth-zone %s: dropping out-of-zone RR " + "%s", zn, nm); + if(duplicate) *duplicate=1; /* treat as bad insert */ + return 1; + } if(!(node=az_domain_find_or_create(z, dname, dname_len))) { log_err("cannot create domain"); return 0;