Skip DNS64 synthesis when answering a redirected response

redirect2() swaps qctx->db to the redirect zone before
query_nodata() runs. The DNS64 fallback there issues an A lookup
for the original query name, which is out of zone for the
redirect db, and the resulting query_notfound() trips
INSIST(!is_zone). The cached NCACHENXRRSET variant trips a
REQUIRE in dns_rdataset_first() on a disassociated rdataset.
The synth-from-dnssec entry reaches the same fallback via
query_coveringnsec(). Guarding the fallback with
!qctx->redirected leaves the nxdomain-redirect NXRRSET answer to
be served as-is.

(cherry picked from commit 4bfd18d08d706218400ba131f6625f6bcd7c47cc)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 8909ed2608732e3c39e22c48060123df0a7b58e5..b9f8415082613580fadbba588d860a15e7bbf057 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -9322,6 +9322,7 @@ query_nodata(query_ctx_t *qctx, isc_result_t res) {
 #endif /* ifdef dns64_bis_return_excluded_addresses */
        } else if ((result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) &&
                   !ISC_LIST_EMPTY(qctx->view->dns64) && !qctx->nxrewrite &&
+                  !qctx->redirected &&
                   qctx->client->message->rdclass == dns_rdataclass_in &&
                   qctx->qtype == dns_rdatatype_aaaa)
        {