Skip "deny-answer-address" for non-IN addresses

Ensure that we don't attempt an ACL match for answer addresses
when handling a class-CHAOS zone. This is an additional line of
defense for YWH-PGM40640-74.

(cherry picked from commit e62673c765b52307c800e86f0185fe52b573c145)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 87f423a69b2be02894522f217f2793b5a8ae1ef1..4b70963a9656594c04506d490235b7d4dfd1e68c 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6967,6 +6967,13 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
                return true;
        }
 
+       /*
+        * deny-answer-address doesn't apply to non-IN classes.
+        */
+       if (rdataset->rdclass != dns_rdataclass_in) {
+               return true;
+       }
+
        /*
         * Otherwise, search the filter list for a match for each
         * address record.  If a match is found, the address should be