From: Otto Moerbeek Date: Mon, 22 Sep 2025 09:44:12 +0000 (+0200) Subject: More strict validation of the relation between qname, rname and authname for NS records X-Git-Tag: rec-5.2.6^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F16340%2Fhead;p=thirdparty%2Fpdns.git More strict validation of the relation between qname, rname and authname for NS records Signed-off-by: Otto Moerbeek --- diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index 987a6aa5a1..d57276fe69 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -4379,9 +4379,9 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN ++skipCount; continue; } - if (rec->d_type == QType::NS && !d_updatingRootNS && rec->d_name == g_rootdnsname) { + if (rec->d_type == QType::NS && (!rec->d_name.isPartOf(auth) || (rec->d_name == auth && !d_updatingRootNS) || !qname.isPartOf(rec->d_name))) { /* - * We don't want to pick up root NS records in AUTHORITY and their associated ADDITIONAL sections of random queries. + * We don't want to pick up irrelevant NS records in AUTHORITY and their associated ADDITIONAL sections. * So remove them and don't add them to allowedAdditionals. */ LOG(prefix << qname << ": Removing NS record '" << rec->toString() << "' in the AUTHORITY section of a response received from " << auth << endl);