Skip "deny-answer-address" for non-IN addresses

Ensure that we don't attempt an ACL match for answer addresses when handling a class-CHAOS zone. This is an additional line of defense for YWH-PGM40640-74.
2026-05-28 04:34:54 -04:00 · 2026-03-17 13:24:43 -07:00 · 2026-03-17 13:24:43 -07:00 · 787b9bc450
commit 787b9bc450
parent 71221a1402
1 changed files with 7 additions and 0 deletions
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -6825,6 +6825,13 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
 		return true;
 	}

+	/*
+	 * deny-answer-address doesn't apply to non-IN classes.
+	 */
+	if (rdataset->rdclass != dns_rdataclass_in) {
+		return true;
+	}
+
 	/*
 	 * Otherwise, search the filter list for a match for each
 	 * address record.  If a match is found, the address should be