From ec1404cc4c124b456409e1dbe9d16cdbe31c68c9 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 17 Mar 2026 13:24:43 -0700
Subject: [PATCH] Skip "deny-answer-address" for non-IN addresses

Ensure that we don't attempt an ACL match for answer addresses
when handling a class-CHAOS zone. This is an additional line of
defense for YWH-PGM40640-74.

(cherry picked from commit e62673c765b52307c800e86f0185fe52b573c145)
---
 lib/dns/resolver.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 87f423a69b..4b70963a96 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6967,6 +6967,13 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
 		return true;
 	}
 
+	/*
+	 * deny-answer-address doesn't apply to non-IN classes.
+	 */
+	if (rdataset->rdclass != dns_rdataclass_in) {
+		return true;
+	}
+
 	/*
 	 * Otherwise, search the filter list for a match for each
 	 * address record.  If a match is found, the address should be