Merge branch '4334-confidential-dns64-and-serve-stale-bind-9.18' into 'v9.18.22-release'

[9.18] [CVE-2023-5679] Fix a bad interaction between DNS64 and serve-stale

See merge request isc-private/bind9!602

CHANGES

@@ -1,3 +1,6 @@
+6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
+			(CVE-2023-5679) [GL #4334]
+
 6316.	[security]	Specific queries could trigger an assertion check with
 			nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
 

doc/notes/notes-current.rst

@@ -27,6 +27,11 @@ Security Fixes
   assertion failure when :any:`nxdomain-redirect` was enabled. This has
   been fixed. :cve:`2023-5517` :gl:`#4281`
 
+- A bad interaction between DNS64 and serve-stale could cause
+  :iscman:`named` to crash with an assertion failure, when both of these
+  features were enabled. This has been fixed. :cve:`2023-5679`
+  :gl:`#4334`
+
 New Features
 ~~~~~~~~~~~~
 

lib/ns/query.c

@@ -6228,6 +6228,13 @@ query_lookup_stale(ns_client_t *client) {
 	query_ctx_t qctx;
 
 	qctx_init(client, NULL, client->query.qtype, &qctx);
+	if (DNS64(client)) {
+		qctx.qtype = qctx.type = dns_rdatatype_a;
+		qctx.dns64 = true;
+	}
+	if (DNS64EXCLUDE(client)) {
+		qctx.dns64_exclude = true;
+	}
 	dns_db_attach(client->view->cachedb, &qctx.db);
 	client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
 	client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;