Check that the forward declaration is unchanged and not overridden

If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 98c169e4d2d7372b1196d2a5e08a97c9ebb96ddb..ad7d875329f2acc7ee3ebbe64fd56876c2d8b3ef 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6237,7 +6237,31 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
 static inline bool
 name_external(const dns_name_t *name, fetchctx_t *fctx) {
        if (ISFORWARDER(fctx->addrinfo)) {
-               return (!dns_name_issubdomain(name, fctx->fwdname));
+               isc_result_t result;
+               dns_fixedname_t fixed;
+               dns_forwarders_t *forwarders = NULL;
+               dns_name_t *fname;
+
+               if (!dns_name_issubdomain(name, fctx->fwdname)) {
+                       return (true);
+               }
+
+               /*
+                * Is there a child forwarder declaration that is better?
+                * This lookup should always succeed if the configuration
+                * has not changed.
+                */
+               fname = dns_fixedname_initname(&fixed);
+               result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
+                                          &forwarders);
+               if (result == ISC_R_SUCCESS) {
+                       return (!dns_name_equal(fname, fctx->fwdname));
+               }
+
+               /*
+                * Play it safe if the configuration has changed.
+                */
+               return (true);
        }
 
        return (!dns_name_issubdomain(name, &fctx->domain));