upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 20:19:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Skip "deny-answer-address" for non-IN addresses

Browse source 
Ensure that we don't attempt an ACL match for answer addresses
when handling a class-CHAOS zone. This is an additional line of
defense for YWH-PGM40640-74.

(cherry picked from commit e62673c765b52307c800e86f0185fe52b573c145)
This commit is contained in:
Evan Hunt 2026-03-17 13:24:43 -07:00 committed by Michał Kępień
parent a40325c6a2
commit ec1404cc4c
No known key found for this signature in database
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
lib/dns/resolver.c
View file

@ -6967,6 +6967,13 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
return true;
}
/*
* deny-answer-address doesn't apply to non-IN classes.
*/
if (rdataset->rdclass != dns_rdataclass_in) {
return true;
}
/*
* Otherwise, search the filter list for a match for each
* address record. If a match is found, the address should be