From e675db2e49fdb5b2d31ee96c792ad7d5b69e656f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 9 Jul 2026 08:55:01 +0000 Subject: [PATCH] Require secure trust for covering NSEC in the RBT cache The guard against synthesizing negative answers from a pending NSEC (#5977) was only added to the QP cache's find_coveringnsec(); the RBT cache database kept binding any covering NSEC regardless of trust. On builds configured with --with-cachedb=rbt this lets a piggy-backed, unvalidated NSEC drive a synthesized NXDOMAIN, reviving the cache poisoning that was fixed for the default cache. query_coveringnsec() only verifies the covering NSEC's trust on its NODATA path; the NXDOMAIN path relies on the database returning a secure record. Require the NSEC and its RRSIG to be dns_trust_secure in find_coveringnsec(), matching the QP cache. Assisted-by: Claude:claude-opus-4-8 --- lib/dns/rbt-cachedb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/dns/rbt-cachedb.c b/lib/dns/rbt-cachedb.c index 09fc281617..363f44a180 100644 --- a/lib/dns/rbt-cachedb.c +++ b/lib/dns/rbt-cachedb.c @@ -728,7 +728,9 @@ find_coveringnsec(rbtdb_search_t *search, const dns_name_t *name, } header_prev = header; } - if (found != NULL) { + if (found != NULL && found->trust == dns_trust_secure && + (foundsig == NULL || foundsig->trust == dns_trust_secure)) + { dns__rbtdb_bindrdataset(search->rbtdb, node, found, now, nlocktype, rdataset DNS__DB_FLARG_PASS); if (foundsig != NULL) {