DNS/KnotResolver/CNAMEpatchについて、ここに記述してください。

https://gitlab.labs.nic.cz/knot/resolver/issues/38
 lib/iterate: do not trust in-bailiwick CNAME targets

The *.name CNAME or DNAME can be misused for in-bailiwick cache poisoning.
 See https://tools.ietf.org/id/draft-weaver-dnsext-comprehensive-resolver-00.html

After the patch query log  [[DNS/watchNS/vavrusa.com/CNAME-log]]

{{{
*** iterate.c	2015-10-19 17:09:52.517304816 +0900
--- iterate.c.orig	2015-10-19 17:08:37.741302152 +0900
***************
*** 351,358 ****
  	for (unsigned i = 0; i < an->count; ++i) {
  		/* @todo construct a CNAME chain closure and accept all names from that set */ 
  		const knot_rrset_t *rr = knot_pkt_rr(an, i);
! 		if (!knot_dname_is_equal(rr->owner, query->sname) /* &&
! 			!(follow_chain && knot_dname_is_equal(rr->owner, cname)) */ ) {
  			continue;
  		}
  		unsigned hint = 0;
--- 351,358 ----
  	for (unsigned i = 0; i < an->count; ++i) {
  		/* @todo construct a CNAME chain closure and accept all names from that set */ 
  		const knot_rrset_t *rr = knot_pkt_rr(an, i);
! 		if (!knot_dname_is_equal(rr->owner, query->sname) &&
! 			!(follow_chain && knot_dname_is_equal(rr->owner, cname))) {
  			continue;
  		}
  		unsigned hint = 0;
}}}

{{{
*** rrcache.c	2015-10-21 15:27:20.850948200 +0900
--- rrcache.c.orig	2015-10-16 10:12:33.187877861 +0900
***************
*** 262,273 ****
  		kr_rrmap_add(stash, rr, KR_RANK_AUTH, pool);
  		/* Follow CNAME chain in current cut. */
  		if (rr->type == KNOT_RRTYPE_CNAME) {
- 		   /*
  			const knot_dname_t *next_cname = knot_cname_name(&rr->rrs);
  			if (knot_dname_in(qry->zone_cut.name, next_cname)) {
  				cname = next_cname;
  			}
- 		    */
  		} else if (rr->type != KNOT_RRTYPE_RRSIG) {
  			cname = qry->sname;
  		}
--- 262,271 ----
}}}