From 53fc885cf54995e0a8af64631dc395dcacce6c24 Mon Sep 17 00:00:00 2001
From: Virgil <virgil@lethean.io>
Date: Fri, 3 Apr 2026 22:20:34 +0000
Subject: [PATCH] Fix ANY apex SOA handling

---
 serve.go        |  8 ++++----
 service_test.go | 10 +++++++++-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/serve.go b/serve.go
index 7afa025..0bdcc9c 100644
--- a/serve.go
+++ b/serve.go
@@ -301,9 +301,9 @@ func (handler *dnsRequestHandler) ServeDNS(responseWriter dnsprotocol.ResponseWr
 		}
 	case dnsprotocol.TypeANY:
 		if found {
-			appendAnyAnswers(reply, question.Name, lookupName, record)
+			appendAnyAnswers(reply, question.Name, lookupName, record, handler.service.ZoneApex())
 		} else if normalizeName(lookupName) == handler.service.ZoneApex() && handler.service.ZoneApex() != "" {
-			appendAnyAnswers(reply, question.Name, lookupName, NameRecords{})
+			appendAnyAnswers(reply, question.Name, lookupName, NameRecords{}, handler.service.ZoneApex())
 		} else {
 			goto noRecord
 		}
@@ -378,7 +378,7 @@ func parsePTRIP(name string) (string, bool) {
 	return "", false
 }
 
-func appendAnyAnswers(reply *dnsprotocol.Msg, questionName string, lookupName string, record NameRecords) {
+func appendAnyAnswers(reply *dnsprotocol.Msg, questionName string, lookupName string, record NameRecords, zoneApex string) {
 	for _, value := range record.A {
 		parsedIP := net.ParseIP(value)
 		if parsedIP == nil || parsedIP.To4() == nil {
@@ -417,7 +417,7 @@ func appendAnyAnswers(reply *dnsprotocol.Msg, questionName string, lookupName st
 		}
 	}
 
-	if normalizeName(lookupName) == normalizeName(questionName) && normalizeName(lookupName) != "" {
+	if normalizeName(lookupName) == normalizeName(zoneApex) && normalizeName(zoneApex) != "" {
 		if len(record.NS) == 0 {
 			reply.Answer = append(reply.Answer, &dnsprotocol.NS{
 				Hdr: dnsprotocol.RR_Header{Name: questionName, Rrtype: dnsprotocol.TypeNS, Class: dnsprotocol.ClassINET, Ttl: defaultDNSTTL},
diff --git a/service_test.go b/service_test.go
index 9d2851f..231b94c 100644
--- a/service_test.go
+++ b/service_test.go
@@ -1529,6 +1529,9 @@ func TestServiceServeAnswersANYWithAllRecordTypes(t *testing.T) {
 				TXT:  []string{"v=lthn1 type=gateway"},
 				NS:   []string{"ns.gateway.charon.lthn"},
 			},
+			"node.charon.lthn": {
+				A: []string{"10.10.10.11"},
+			},
 		},
 	})
 
@@ -1546,7 +1549,7 @@ func TestServiceServeAnswersANYWithAllRecordTypes(t *testing.T) {
 		t.Fatalf("unexpected ANY rcode: %d", response.Rcode)
 	}
 
-	var sawA, sawAAAA, sawTXT, sawNS bool
+	var sawA, sawAAAA, sawTXT, sawNS, sawSOA bool
 	for _, answer := range response.Answer {
 		switch rr := answer.(type) {
 		case *dnsprotocol.A:
@@ -1557,12 +1560,17 @@ func TestServiceServeAnswersANYWithAllRecordTypes(t *testing.T) {
 			sawTXT = len(rr.Txt) == 1 && rr.Txt[0] == "v=lthn1 type=gateway"
 		case *dnsprotocol.NS:
 			sawNS = rr.Ns == "ns.gateway.charon.lthn."
+		case *dnsprotocol.SOA:
+			sawSOA = true
 		}
 	}
 
 	if !sawA || !sawAAAA || !sawTXT || !sawNS {
 		t.Fatalf("expected ANY answer to include A, AAAA, TXT, and NS records, got %#v", response.Answer)
 	}
+	if sawSOA {
+		t.Fatalf("expected ANY answer for a non-apex name to omit SOA, got %#v", response.Answer)
+	}
 }
 
 func TestServiceServeResolvesWildcardAndPTRRecords(t *testing.T) {
-- 
2.45.3