Skip "deny-answer-address" for non-IN addresses

Ensure that we don't attempt an ACL match for answer addresses
when handling a class-CHAOS zone. This is an additional line of
defense for YWH-PGM40640-74.

(cherry picked from commit e62673c765b52307c800e86f0185fe52b573c145)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 91c4f27514d1a9c7157e16bdf6146b7639d22741..9d46126771f9dcd3314322154f6ec7b694654858 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7333,6 +7333,13 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
                }
        }
 
+       /*
+        * deny-answer-address doesn't apply to non-IN classes.
+        */
+       if (rdataset->rdclass != dns_rdataclass_in) {
+               return true;
+       }
+
        /*
         * Otherwise, search the filter list for a match for each
         * address record.  If a match is found, the address should be