upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-08 23:52:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Skip DNS64 synthesis when answering a redirected response

Browse source 
redirect2() swaps qctx->db to the redirect zone before
query_nodata() runs. The DNS64 fallback there issues an A lookup
for the original query name, which is out of zone for the
redirect db, and the resulting query_notfound() trips
INSIST(!is_zone). The cached NCACHENXRRSET variant trips a
REQUIRE in dns_rdataset_first() on a disassociated rdataset.
The synth-from-dnssec entry reaches the same fallback via
query_coveringnsec(). Guarding the fallback with
!qctx->redirected leaves the nxdomain-redirect NXRRSET answer to
be served as-is.
This commit is contained in:
Ondřej Surý 2026-05-20 18:28:15 +02:00
parent 739a067de8
commit 4bfd18d08d
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
lib/ns/query.c
View file

@ -8902,6 +8902,7 @@ query_nodata(query_ctx_t *qctx, isc_result_t res) {
#endif /* ifdef dns64_bis_return_excluded_addresses */
} else if ((result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) &&
!ISC_LIST_EMPTY(qctx->view->dns64) && !qctx->nxrewrite &&
!qctx->redirected &&
qctx->client->message->rdclass == dns_rdataclass_in &&
qctx->qtype == dns_rdatatype_aaaa)
{