3864. [bug] RPZ didn't work well when being used as forwarder.

[RT #36060]

CHANGES

@@ -1,3 +1,6 @@
+3864.	[bug]		RPZ didn't work well when being used as forwarder.
+			[RT #36060]
+
 3863.	[bug]		The "E" flag was missing from the query log as a
 			unintended side effect of code rearrangement to
 			support EDNS EXPIRE. [RT #36117]

bin/named/query.c

@@ -6608,11 +6608,29 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 						rpz_st->p_name, NULL);
 				goto cleanup;
 			case DNS_RPZ_POLICY_NXDOMAIN:
-				result = DNS_R_NXDOMAIN;
+				client->message->rcode = dns_rcode_nxdomain;
-				break;
+				/*
+				 * Don't fall through as it will add a SOA
+				 * for the black list zone which breaks
+				 * sanity checking of result by nameservers.
+				 */
+				client->message->rcode = dns_rcode_nxdomain;
+				rpz_log_rewrite(client, ISC_FALSE,
+					         rpz_st->m.policy,
+						 rpz_st->m.type, zone,
+						 rpz_st->p_name, NULL);
+				goto cleanup;
 			case DNS_RPZ_POLICY_NODATA:
-				result = DNS_R_NXRRSET;
+				/*
-				break;
+				 * Don't fall through as it will add a SOA
+				 * for the black list zone which breaks
+				 * sanity checking of result by nameservers.
+				 */
+				rpz_log_rewrite(client, ISC_FALSE,
+					         rpz_st->m.policy,
+						 rpz_st->m.type, zone,
+						 rpz_st->p_name, NULL);
+				goto cleanup;
 			case DNS_RPZ_POLICY_RECORD:
 				result = rpz_st->m.result;
 				if (qtype == dns_rdatatype_any &&

bin/tests/system/rpz/ns6/hints

@@ -0,0 +1,19 @@
+; Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1

bin/tests/system/rpz/ns6/named.conf

@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port 5300;
+	pid-file "named.pid";
+	statistics-file "named.stats";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	notify no;
+	forward only;
+	forwarders { 10.53.0.3; };
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port 9953 allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";

bin/tests/system/rpz/tests.sh

@@ -26,6 +26,7 @@ ns2=$ns.2		# authoritative server whose records are rewritten
 ns3=$ns.3		# main rewriting resolver
 ns4=$ns.4		# another authoritative server that is rewritten
 ns5=$ns.5		# another rewriting resolver
+ns6=$ns.6		# a forwarding server
 
 HAVE_CORE=
 SAVE_RESULTS=
@@ -334,6 +335,34 @@ addr 35.35.35.35 "x.servfail @$ns5"	# 35 qname-wait-recurse no
 end_group
 ckstats $ns3 test1 ns3 22
 ckstats $ns5 test1 ns5 1
+ckstats $ns6 test1 ns6 0
+
+start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
+nxdomain a0-1.tld2 @$ns6                   # 1
+nodata a3-1.tld2 @$ns6                     # 2
+nodata a3-2.tld2 @$ns6                     # 3 nodata at DNAME itself
+nxdomain a4-2.tld2 @$ns6                   # 4 rewrite based on CNAME target
+nxdomain a4-2-cname.tld2 @$ns6             # 5
+nodata a4-3-cname.tld2 @$ns6               # 6
+addr 12.12.12.12  "a4-1.sub1.tld2 @$ns6"   # 7 A replacement
+addr 12.12.12.12  "a4-1.sub2.tld2 @$ns6"   # 8 A replacement with wildcard
+addr 127.4.4.1    "a4-4.tld2 @$ns6"        # 9 prefer 1st conflicting QNAME zone
+addr 12.12.12.12  "nxc1.sub1.tld2 @$ns6"   # 10 replace NXDOMAIN w/ CNAME
+addr 12.12.12.12  "nxc2.sub1.tld2 @$ns6"   # 11 replace NXDOMAIN w/ CNAME chain
+addr 127.6.2.1    "a6-2.tld2 @$ns6"        # 12
+addr 56.56.56.56  "a3-6.tld2 @$ns6"        # 13 wildcard CNAME
+addr 57.57.57.57  "a3-7.sub1.tld2 @$ns6"   # 14 wildcard CNAME
+addr 127.0.0.16   "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
+addr 127.0.0.17   "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
+nxdomain c1.crash2.tld3 @$ns6              # 17 assert in rbtdb.c
+nxdomain a0-1.tld2 +dnssec @$ns6           # 18 simple DO=1 without sigs
+nxdomain a0-1s-cname.tld2s  +dnssec @$ns6  # 19
+drop a3-8.tld2 any @$ns6                   # 20 drop
+
+end_group
+ckstats $ns3 test1 ns3 23
+ckstats $ns5 test1 ns5 0
+ckstats $ns6 test1 ns6 0
 
 start_group "IP rewrites" test2
 nodata a3-1.tld2			# 1 NODATA