Description: Fix ghost domain attack vulnerability (CVE-2012-1191)
Origin: http://marc.info/?l=djbdns&m=134269902121506&w=2
Author: Peter Conrad <conrad@tivano.de>
Date: Tue, 18 Jun 2019 00:51:18 +0000
Gentoo-Bug: https://bugs.gentoo.org/404959
Last-Update: 2020-07-26

diff --git a/query.c b/query.c
index 61fe708..085cf44 100644
--- a/query.c
+++ b/query.c
@@ -578,6 +578,12 @@ static int doit(struct query *z,int state)
     }
 
     if (!dns_domain_suffix(t1,control)) { i = j; continue; }
+
+    if (!flagforwardonly && byte_equal(type,2,DNS_T_NS) && dns_domain_equal(t1,control)) {
+        char dummy[256];
+        if (!roots(dummy,control)) { i = j; continue; }
+    }
+
     if (!roots_same(t1,control)) { i = j; continue; }
 
     if (byte_equal(type,2,DNS_T_ANY))