From 31b46473acad4c4cbf18560a464f853acb52259b Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 26 Nov 2025 00:07:48 -0800
Subject: [PATCH 1/2] allow glue in delegations with QTYPE=ANY

when a query for type ANY triggers a delegation response, all
additional data was omitted from the response, including
mandatory glue. this has been corrected.

(cherry picked from commit aa13e623556756195192084d4e1852cc57c05e9a)
---
 lib/ns/query.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index e4dfab3317..4d40a54718 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -2281,7 +2281,10 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
 	 */
 	query_addtoname(mname, rdataset);
 	query_setorder(qctx, mname, rdataset);
-	if (qctx->qtype != dns_rdatatype_any) {
+	if (qctx->qtype != dns_rdatatype_any ||
+	    (!qctx->authoritative && section == DNS_SECTION_AUTHORITY &&
+	     rdataset->type == dns_rdatatype_ns))
+	{
 		query_additional(qctx, mname, rdataset);
 	}
 

From ef7532bc868f257af2831cacb7d12b97b4e122f3 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 28 Nov 2025 13:28:36 +1100
Subject: [PATCH 2/2] Check delegation response to ANY query

Glue if present should be returned.

(cherry picked from commit 34f4833e614626ba7dac2d836a257b69262ae6ba)
---
 bin/tests/system/auth/ns1/example.net.db |  2 ++
 bin/tests/system/auth/tests.sh           | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/bin/tests/system/auth/ns1/example.net.db b/bin/tests/system/auth/ns1/example.net.db
index 29885ca414..edb4c9cbe7 100644
--- a/bin/tests/system/auth/ns1/example.net.db
+++ b/bin/tests/system/auth/ns1/example.net.db
@@ -20,3 +20,5 @@ $TTL 300        ; 5 minutes
 			NS      ns
 ns                      A       10.53.0.1
 server			A	10.53.0.100
+child			NS	ns.child
+ns.child		A	10.53.0.1
diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh
index 2499b46950..edb382202c 100644
--- a/bin/tests/system/auth/tests.sh
+++ b/bin/tests/system/auth/tests.sh
@@ -186,5 +186,15 @@ lines=$(wc -l <dig.out.test$n)
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "check delegation response to ANY query ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 foo.child.example.net any >dig.out.test$n || ret=1
+grep "ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2" dig.out.test$n >/dev/null || ret=1
+grep 'child\.example\.net\..300.IN.NS.ns\.child\.example\.net\.$' dig.out.test$n >/dev/null || ret=1
+grep 'ns\.child\.example\.net\..300.IN.A.10\.53\.0\.1$' dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1