From 2c11da844192d8366a6e0047dff15a2746f9467e Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 12 Jun 2017 14:01:40 +0530
Subject: [PATCH] Don't log NSDNAME failures as NSIP (#45052)

---
 CHANGES           |  3 +++
 bin/named/query.c | 35 +++++++++++++++++++++++++++++------
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index a6fa30332a..94f800c139 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4635.	[bug]		Fix RPZ NSDNAME logging that was logging
+			failures as NSIP. [RT #45052]
+
 4634.	[contrib]	check5011.pl needs to handle optional space before
 			semi-colon in +multi-line output. [RT #45352]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 6637bc4038..39b99a2f8b 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1264,12 +1264,16 @@ rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
 }
 
 static void
-rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
-	     dns_rpz_type_t rpz_type, const char *str, isc_result_t result)
+rpz_log_fail_helper(ns_client_t *client, int level, dns_name_t *p_name,
+		    dns_rpz_type_t rpz_type1, dns_rpz_type_t rpz_type2,
+		    const char *str, isc_result_t result)
 {
 	char qnamebuf[DNS_NAME_FORMATSIZE];
 	char p_namebuf[DNS_NAME_FORMATSIZE];
 	const char *failed;
+	const char *slash;
+	const char *rpztypestr1;
+	const char *rpztypestr2;
 
 	if (!isc_log_wouldlog(ns_g_lctx, level))
 		return;
@@ -1281,16 +1285,34 @@ rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
 		failed = "failed: ";
 	else
 		failed = ": ";
+
+	rpztypestr1 = dns_rpz_type2str(rpz_type1);
+	if (rpz_type2 != DNS_RPZ_TYPE_BAD) {
+		slash = "/";
+		rpztypestr2 = dns_rpz_type2str(rpz_type2);
+	} else {
+		slash = "";
+		rpztypestr2 = "";
+	}
+
 	dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf));
 	dns_name_format(p_name, p_namebuf, sizeof(p_namebuf));
 	ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS,
 		      NS_LOGMODULE_QUERY, level,
-		      "rpz %s rewrite %s via %s%s%s%s",
-		      dns_rpz_type2str(rpz_type),
+		      "rpz %s%s%s rewrite %s via %s%s%s%s",
+		      rpztypestr1, slash, rpztypestr2,
 		      qnamebuf, p_namebuf,
 		      str, failed, isc_result_totext(result));
 }
 
+static void
+rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
+	     dns_rpz_type_t rpz_type, const char *str, isc_result_t result)
+{
+	rpz_log_fail_helper(client, level, p_name,
+			    rpz_type, DNS_RPZ_TYPE_BAD, str, result);
+}
+
 /*
  * Get a policy rewrite zone database.
  */
@@ -3469,8 +3491,9 @@ rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
 	st = client->query.rpz_st;
 
 	if (str != NULL)
-		rpz_log_fail(client, level, nsname, DNS_RPZ_TYPE_NSIP,
-			     str, result);
+		rpz_log_fail_helper(client, level, nsname,
+				    DNS_RPZ_TYPE_NSIP, DNS_RPZ_TYPE_NSDNAME,
+				    str, result);
 	if (st->r.ns_rdataset != NULL &&
 	    dns_rdataset_isassociated(st->r.ns_rdataset))
 		dns_rdataset_disassociate(st->r.ns_rdataset);