Check that the forward declaration is unchanged and not overridden

If we are using a fowarder, in addition to checking that names to be cached are subdomains of the forwarded namespace, we must also check that there are no subsidiary forwarded namespaces which would take precedence. To be safe, we don't cache any responses if the forwarding configuration has changed since the query was sent.
2026-05-28 04:34:54 -04:00 · 2022-01-21 10:52:02 +11:00 · 2022-01-21 10:52:02 +11:00 · 67179e8973
commit 67179e8973
parent f7cb79b66a
1 changed files with 25 additions and 1 deletions
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -6768,7 +6768,31 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
 static inline bool
 name_external(const dns_name_t *name, fetchctx_t *fctx) {
 	if (ISFORWARDER(fctx->addrinfo)) {
-		return (!dns_name_issubdomain(name, fctx->fwdname));
+		isc_result_t result;
+		dns_fixedname_t fixed;
+		dns_forwarders_t *forwarders = NULL;
+		dns_name_t *fname;
+
+		if (!dns_name_issubdomain(name, fctx->fwdname)) {
+			return (true);
+		}
+
+		/*
+		 * Is there a child forwarder declaration that is better?
+		 * This lookup should always succeed if the configuration
+		 * has not changed.
+		 */
+		fname = dns_fixedname_initname(&fixed);
+		result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
+					   &forwarders);
+		if (result == ISC_R_SUCCESS) {
+			return (!dns_name_equal(fname, fctx->fwdname));
+		}
+
+		/*
+		 * Play it safe if the configuration has changed.
+		 */
+		return (true);
 	}

 	return (!dns_name_issubdomain(name, fctx->domain));