Return FORMERR for ECS family 0

RFC 7871 only defines family 1 (IPv4) and 2 (IPv6). Additionally it requires FORMERR to be returned for all unknown families. (cherry picked from commit 757e503536)
2026-05-26 11:22:52 -04:00 · 2026-02-19 10:03:36 +11:00 · 2026-02-19 10:03:36 +11:00 · 32f802f4ed
commit 32f802f4ed
parent 68ccf6ab4f
2 changed files with 3 additions and 27 deletions
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@ -522,10 +522,8 @@ if [ -x "$DIG" ]; then
  echo_i "checking dig +ednsopt=8:00000000 (family=0, source=0, scope=0) ($n)"
  ret=0
  dig_with_opts +tcp @10.53.0.2 +ednsopt=8:00000000 A a.example >dig.out.test$n 2>&1 || ret=1
-  grep "status: NOERROR" <dig.out.test$n >/dev/null || ret=1
-  grep "CLIENT-SUBNET: 0/0/0" <dig.out.test$n >/dev/null || ret=1
-  grep "10.0.0.1" <dig.out.test$n >/dev/null || ret=1
-  check_ttl_range dig.out.test$n "A" 300 || ret=1
+  grep "status: FORMERR" <dig.out.test$n >/dev/null || ret=1
+  grep "CLIENT-SUBNET" <dig.out.test$n >/dev/null && ret=1
  if [ $ret -ne 0 ]; then echo_i "failed"; fi
  status=$((status + ret))

--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@ -1108,8 +1108,7 @@ no_nsid:
 	}
 	if (((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) &&
 	    (client->ecs.addr.family == AF_INET ||
-	     client->ecs.addr.family == AF_INET6 ||
-	     client->ecs.addr.family == AF_UNSPEC))
+	     client->ecs.addr.family == AF_INET6))
 	{
 		isc_buffer_t buf;
 		uint8_t addr[16];
@ -1124,10 +1123,6 @@ no_nsid:
 		addrl = (plen + 7) / 8;

 		switch (client->ecs.addr.family) {
-		case AF_UNSPEC:
-			INSIST(plen == 0);
-			family = 0;
-			break;
 		case AF_INET:
 			INSIST(plen <= 32);
 			family = 1;
@ -1418,23 +1413,6 @@ process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {

 	memset(&caddr, 0, sizeof(caddr));
 	switch (family) {
-	case 0:
-		/*
-		 * XXXMUKS: In queries, if FAMILY is set to 0, SOURCE
-		 * PREFIX-LENGTH must be 0 and ADDRESS should not be
-		 * present as the address and prefix lengths don't make
-		 * sense because the family is unknown.
-		 */
-		if (addrlen != 0U) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
-				      "EDNS client-subnet option: invalid "
-				      "address length (%u) for FAMILY=0",
-				      addrlen);
-			return DNS_R_OPTERR;
-		}
-		caddr.family = AF_UNSPEC;
-		break;
 	case 1:
 		if (addrlen > 32U) {
 			ns_client_log(client, NS_LOGCATEGORY_CLIENT,