diff --git a/CHANGES b/CHANGES index e32a38dc5e..c65de59dbf 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3864. [bug] RPZ didn't work well when being used as forwarder. + [RT #36060] + 3863. [bug] The "E" flag was missing from the query log as a unintended side effect of code rearrangement to support EDNS EXPIRE. [RT #36117] diff --git a/bin/named/query.c b/bin/named/query.c index 9592d7cadb..de8090fa78 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -6608,11 +6608,29 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) rpz_st->p_name, NULL); goto cleanup; case DNS_RPZ_POLICY_NXDOMAIN: - result = DNS_R_NXDOMAIN; - break; + client->message->rcode = dns_rcode_nxdomain; + /* + * Don't fall through as it will add a SOA + * for the black list zone which breaks + * sanity checking of result by nameservers. + */ + client->message->rcode = dns_rcode_nxdomain; + rpz_log_rewrite(client, ISC_FALSE, + rpz_st->m.policy, + rpz_st->m.type, zone, + rpz_st->p_name, NULL); + goto cleanup; case DNS_RPZ_POLICY_NODATA: - result = DNS_R_NXRRSET; - break; + /* + * Don't fall through as it will add a SOA + * for the black list zone which breaks + * sanity checking of result by nameservers. + */ + rpz_log_rewrite(client, ISC_FALSE, + rpz_st->m.policy, + rpz_st->m.type, zone, + rpz_st->p_name, NULL); + goto cleanup; case DNS_RPZ_POLICY_RECORD: result = rpz_st->m.result; if (qtype == dns_rdatatype_any && diff --git a/bin/tests/system/rpz/ns6/hints b/bin/tests/system/rpz/ns6/hints new file mode 100644 index 0000000000..7d20df0529 --- /dev/null +++ b/bin/tests/system/rpz/ns6/hints @@ -0,0 +1,19 @@ +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff --git a/bin/tests/system/rpz/ns6/named.conf b/bin/tests/system/rpz/ns6/named.conf new file mode 100644 index 0000000000..5c9530b82d --- /dev/null +++ b/bin/tests/system/rpz/ns6/named.conf @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port 5300; + pid-file "named.pid"; + statistics-file "named.stats"; + session-keyfile "session.key"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + notify no; + forward only; + forwarders { 10.53.0.3; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port 9953 allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 898fef829e..f76f48755f 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -26,6 +26,7 @@ ns2=$ns.2 # authoritative server whose records are rewritten ns3=$ns.3 # main rewriting resolver ns4=$ns.4 # another authoritative server that is rewritten ns5=$ns.5 # another rewriting resolver +ns6=$ns.6 # a forwarding server HAVE_CORE= SAVE_RESULTS= @@ -334,6 +335,34 @@ addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no end_group ckstats $ns3 test1 ns3 22 ckstats $ns5 test1 ns5 1 +ckstats $ns6 test1 ns6 0 + +start_group "NXDOMAIN/NODATA action on QNAME trigger" test1 +nxdomain a0-1.tld2 @$ns6 # 1 +nodata a3-1.tld2 @$ns6 # 2 +nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself +nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target +nxdomain a4-2-cname.tld2 @$ns6 # 5 +nodata a4-3-cname.tld2 @$ns6 # 6 +addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement +addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard +addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone +addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME +addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain +addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12 +addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME +addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME +addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain +addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain +nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c +nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs +nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19 +drop a3-8.tld2 any @$ns6 # 20 drop + +end_group +ckstats $ns3 test1 ns3 23 +ckstats $ns5 test1 ns5 0 +ckstats $ns6 test1 ns6 0 start_group "IP rewrites" test2 nodata a3-1.tld2 # 1 NODATA