From 787b9bc45097b59812b0128cf6172d70105d9d18 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 17 Mar 2026 13:24:43 -0700 Subject: [PATCH] Skip "deny-answer-address" for non-IN addresses Ensure that we don't attempt an ACL match for answer addresses when handling a class-CHAOS zone. This is an additional line of defense for YWH-PGM40640-74. --- lib/dns/resolver.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 50f88209dd..7410431284 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -6825,6 +6825,13 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, return true; } + /* + * deny-answer-address doesn't apply to non-IN classes. + */ + if (rdataset->rdclass != dns_rdataclass_in) { + return true; + } + /* * Otherwise, search the filter list for a match for each * address record. If a match is found, the address should be