4575. [security] Dns64 with break-dnssec yes; can result in a

                        assertion failure. (CVE-2017-3136) [RT #44653]

(cherry picked from commit 3bce12e4b6d37f570ffc7747b499f8b90e8521ac)

diff --git a/CHANGES b/CHANGES
index 50613d34bee830a4ca8634d4ed22d32bdb2d0b4c..aed7848c373d20040e13d2183fe7d04bfe083bc3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4575.  [security]      Dns64 with break-dnssec yes; can result in a
+                       assertion failure. (CVE-2017-3136) [RT #44653]
+
 4564.  [maint]         Update the built in managed keys to include the
                        upcoming root KSK. [RT #44579]
                        

diff --git a/bin/named/query.c b/bin/named/query.c
index ecfe1a81ab292ec078d1371b54090e8b42a3de66..e09579bbad840b020e11e8708aa81d57b4e02094 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -7544,6 +7544,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
                        result = query_dns64(client, &fname, rdataset,
                                             sigrdataset, dbuf,
                                             DNS_SECTION_ANSWER);
+                       noqname = NULL;
                        dns_rdataset_disassociate(rdataset);
                        dns_message_puttemprdataset(client->message, &rdataset);
                        if (result == ISC_R_NOMORE) {