Skip "deny-answer-address" for non-IN addresses

Ensure that we don't attempt an ACL match for answer addresses
when handling a class-CHAOS zone. This is an additional line of
defense for YWH-PGM40640-74.

(cherry picked from commit 4cd3d8e6d866143ddc62df821a1007bf3ee7f083)
(cherry picked from commit fa60101e910346e64fa2a684b903fbcb84d8243b)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ee49128825dfa74b82614cba88cc2442d6a4fb9f..35a05ddef5c39a5914b8ed5ec06bafaf60831d9f 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7347,9 +7347,16 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
        }
 
        /*
-        * Otherwise, search the filter list for a match for each address
-        * record.  If a match is found, the address should be filtered,
-        * so should the entire answer.
+        * deny-answer-address doesn't apply to non-IN classes.
+        */
+       if (rdataset->rdclass != dns_rdataclass_in) {
+               return true;
+       }
+
+       /*
+        * Otherwise, search the filter list for a match for each
+        * address record.  If a match is found, the address should be
+        * filtered, so should the entire answer.
         */
        for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
             result = dns_rdataset_next(rdataset))