clarification of additional section cve 2024-11187 ?

[Matthijs Mekking]

If the RRset in the answer or authority section triggers additional 
processing, and the RRset has more than 13 different names, we skip 
additional processing for that RRset.

So it can add more than 13 records to the additional section.

You are right that we also no longer do additional data processing for 
ANY queries.

Best regards,

Matthijs


On 29-01-2025 22:50, Jeremy C. Reed wrote:
> "When answering queries, don't add data to the additional section if the
> answer has more than 13 names in the RDATA."
> 
> That is vague or misleading: is this saying don't add to additional
> section if the ANSWER SECTION has more than 13 separated "names" (so not
> limited by rrsets if have same names)? or is this the additional section
> only and nothing to do with "answer"?
> 
> Looking at code changes, I don't think this is about ANSWER
> (dns_rdataset_additionaldata) and is not about count of names either
> (dns_rdataset_count).
> 
> Maybe instead:
> 
> "When answering queries, don't add data to the Additional Section if it
> will have more than 13 records."
> 
> I didn't read closely nor test, but will it add up to 13 records in the
> Additional Section?
> 
> For example @f.root-servers.net for COM returns additional section of 26
> records (A and AAA glue), 13 names, and 13 rrsets. What happens with the
> new behavior? How will chop out the glue?
> 
> Also I see code change for checking for ANY, if this is a change of
> behavior, please consider also document if query is for ANY then no
> additional section. (I also didn't test this.)