From: Evan Hunt <each@isc.org>
Date: Thu, 18 Jun 2026 17:47:51 +0000 (+0000)
Subject: fix: usr: Check wildcard signer and NOQNAME signer match
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c5c68c1e9529efde3ebcd234dcbc4fb4840d7238;p=thirdparty%2Fbind9.git

fix: usr: Check wildcard signer and NOQNAME signer match

A positive wildcard answer, and the NSEC3 proof that the requested
name doesn't exist in the zone, must both be from the same zone.
Otherwise, an NSEC3 from an ancestor zone could be used to interfere
with validation.

We now retrieve the signer name from a wildcard response's signature.
An NSEC3 record cannot be used as a NOQNAME proof for the
wildcard unless it exactly matches the name one level above the NSEC3.

Closes #5971

Merge branch '5971-wildcard-noqname-mismatch' into 'main'

See merge request isc-projects/bind9!12256
---

c5c68c1e9529efde3ebcd234dcbc4fb4840d7238