diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 62d6d0c..343dc06 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -4757,7 +4757,7 @@ static isc_result_t answer_response(fetchctx_t *fctx) { isc_result_t result; dns_message_t *message; - dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; + dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; dns_name_t *cname = NULL; dns_rdataset_t *rdataset, *ns_rdataset; isc_boolean_t done, external, chaining, aa, found, want_chaining; @@ -4765,7 +4765,7 @@ answer_response(fetchctx_t *fctx) { isc_boolean_t wanted_chaining; unsigned int aflag; dns_rdatatype_t type; - dns_fixedname_t fdname, fqname, fqdname; + dns_fixedname_t fdname, fqname; FCTXTRACE("answer_response"); @@ -4787,12 +4787,11 @@ answer_response(fetchctx_t *fctx) { aa = ISC_TRUE; else aa = ISC_FALSE; - dqname = qname = &fctx->name; + qname = &fctx->name; type = fctx->type; - dns_fixedname_init(&fqdname); result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (!done && result == ISC_R_SUCCESS) { - dns_namereln_t namereln, dnamereln; + dns_namereln_t namereln; int order; unsigned int nlabels; @@ -4800,8 +4799,6 @@ answer_response(fetchctx_t *fctx) { dns_message_currentname(message, DNS_SECTION_ANSWER, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); namereln = dns_name_fullcompare(qname, name, &order, &nlabels); - dnamereln = dns_name_fullcompare(dqname, name, &order, - &nlabels); if (namereln == dns_namereln_equal) { wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); @@ -4988,7 +4985,20 @@ answer_response(fetchctx_t *fctx) { return (DNS_R_FORMERR); } - if (dnamereln != dns_namereln_subdomain) { + /* + * If DNAME + synthetic CNAME then the + * namereln is dns_namereln_subdomain. + * + * If synthetic CNAME + DNAME then the + * namereln is dns_namereln_commonancestor + * and the number of label must match the + * DNAME. This order is not RFC compliant. + */ + + if (namereln != dns_namereln_subdomain && + (namereln != dns_namereln_commonancestor || + nlabels != dns_name_countlabels(name))) + { return (DNS_R_FORMERR); } @@ -4996,7 +5006,7 @@ answer_response(fetchctx_t *fctx) { if (rdataset->type == dns_rdatatype_dname) { want_chaining = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWER; - result = dname_target(rdataset, dqname, + result = dname_target(rdataset, qname, nlabels, &fdname); if (result == ISC_R_NOSPACE) { /* @@ -5011,8 +5021,6 @@ answer_response(fetchctx_t *fctx) { dnameset = rdataset; dname = dns_fixedname_name(&fdname); - dqname = dns_fixedname_name(&fqdname); - dns_name_copy(dname, dqname, NULL); } else { /* * We've found a signature that @@ -5153,7 +5161,8 @@ answer_response(fetchctx_t *fctx) { rdataset->trust = dns_trust_additional; - if (rdataset->type == dns_rdatatype_ns) { + if (rdataset->type == dns_rdatatype_ns) + { ns_name = name; ns_rdataset = rdataset; }