Skip DNS64 synthesis when answering a redirected response

redirect2() swaps qctx->db to the redirect zone before
query_nodata() runs. The DNS64 fallback there issues an A lookup
for the original query name, which is out of zone for the
redirect db, and the resulting query_notfound() trips
INSIST(!is_zone). The cached NCACHENXRRSET variant trips a
REQUIRE in dns_rdataset_first() on a disassociated rdataset.
The synth-from-dnssec entry reaches the same fallback via
query_coveringnsec(). Guarding the fallback with
!qctx->redirected leaves the nxdomain-redirect NXRRSET answer to
be served as-is.

diff --git a/lib/ns/query.c b/lib/ns/query.c
index b160171935ff11e35c91d9e7b9a2b46fbeaadc78..ca76df4f3d542b56c8389743afb41d676745d2fa 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -8902,6 +8902,7 @@ query_nodata(query_ctx_t *qctx, isc_result_t res) {
 #endif /* ifdef dns64_bis_return_excluded_addresses */
        } else if ((result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) &&
                   !ISC_LIST_EMPTY(qctx->view->dns64) && !qctx->nxrewrite &&
+                  !qctx->redirected &&
                   qctx->client->message->rdclass == dns_rdataclass_in &&
                   qctx->qtype == dns_rdatatype_aaaa)
        {