aboutsummaryrefslogtreecommitdiff
path: root/contrib/unbound/iterator/iter_scrub.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/unbound/iterator/iter_scrub.c')
-rw-r--r--contrib/unbound/iterator/iter_scrub.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c
index 49a5f5da19c2..553d3655f0e3 100644
--- a/contrib/unbound/iterator/iter_scrub.c
+++ b/contrib/unbound/iterator/iter_scrub.c
@@ -634,6 +634,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
"RRset:", pkt, msg, prev, &rrset);
continue;
}
+ /* If the NS set is a promiscuous NS set, scrub that
+ * to remove potential for poisonous contents that
+ * affects other names in the same zone. Remove
+ * promiscuous NS sets in positive answers, that
+ * thus have records in the answer section. Nodata
+ * and nxdomain promiscuous NS sets have been removed
+ * already. Since the NS rrset is scrubbed, its
+ * address records are also not marked to be allowed
+ * and are removed later. */
+ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
+ msg->an_rrsets != 0 &&
+ env->cfg->iter_scrub_promiscuous) {
+ remove_rrset("normalize: removing promiscuous "
+ "RRset:", pkt, msg, prev, &rrset);
+ continue;
+ }
if(nsset == NULL) {
nsset = rrset;
} else {
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-24 17:06:21 +0000