mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-04 08:35:31 +00:00
Code Issues Releases Wiki Activity

Merge branch '3247-rpz-ip-cd' into 'main'

Browse Source 
ensure RPZ lookups handle CD=1 correctly

Closes #3247

See merge request isc-projects/bind9!6944
This commit is contained in:
Evan Hunt
2022-10-19 20:11:26 +00:00
parent 0bcff38391 3676f6394b
commit 6c8bc44bc4
9 changed files with 50 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
5999. [bug] rpz-ip rules could be ineffective in some scenarios
with CD=1 queries. [GL #3247]
5998. [placeholder] 5998. [placeholder]
5997. [cleanup] Less ceremonial UNEXPECTED_ERROR() and FATAL_ERROR() 5997. [cleanup] Less ceremonial UNEXPECTED_ERROR() and FATAL_ERROR()

2
bin/tests/system/rpz/clean.sh
View File

@@ -30,7 +30,7 @@ fi
# from the first test pass so the second pass can be set up correctly. # from the first test pass so the second pass can be set up correctly.
# remove those files first, then decide whether to remove the others. # remove those files first, then decide whether to remove the others.
rm -f ns*/*.key ns*/*.private rm -f ns*/*.key ns*/*.private
rm -f ns2/tld2s.db ns2/bl.tld2.db rm -f ns2/tld2s.db */bl.tld2.db */bl.tld2s.db
rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db
rm -f ns3/manual-update-rpz.db rm -f ns3/manual-update-rpz.db
rm -f ns3/mixed-case-rpz.db rm -f ns3/mixed-case-rpz.db

1
bin/tests/system/rpz/ns2/base-tld2s.db
View File

@@ -23,3 +23,4 @@ a0-1-scname CNAME a0-1.tld2.
a3-5 A 192.168.3.5 a3-5 A 192.168.3.5
a7-2 A 192.168.7.2

3
bin/tests/system/rpz/ns2/tld2.db
View File

@@ -120,3 +120,6 @@ a6-2 A 192.168.6.2
a7-1 A 192.168.7.1 a7-1 A 192.168.7.1
TXT "a7-1 tld2 text" TXT "a7-1 tld2 text"
a7-2 A 192.168.7.2
TXT "a7-2 tld2 text"

20
bin/tests/system/rpz/ns6/bl.tld2s.db.in Normal file
View File

@@ -0,0 +1,20 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA rpz.tld2. hostmaster.ns.tld2. ( 3 3600 1200 604800 60 )
NS ns2
NS ns3
ns2 A 10.53.0.2
ns3 A 10.53.0.3
32.2.7.168.192.rpz-ip A 1.1.1.1
AAAA ::1

6
bin/tests/system/rpz/ns6/named.conf.in
View File

@@ -30,6 +30,7 @@ options {
response-policy { response-policy {
zone "policy1" min-update-interval 0; zone "policy1" min-update-interval 0;
zone "bl.tld2s" policy given;
} qname-wait-recurse yes } qname-wait-recurse yes
// add-soa yes # leave add-soa as default for unset test // add-soa yes # leave add-soa as default for unset test
nsip-enable yes nsip-enable yes
@@ -59,3 +60,8 @@ zone "policy1" {
notify-delay 0; notify-delay 0;
allow-transfer { any; }; allow-transfer { any; };
}; };
zone "bl.tld2s." {
type primary;
file "bl.tld2s.db";
};

1
bin/tests/system/rpz/setup.sh
View File

@@ -168,6 +168,7 @@ $PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
cp ns2/bl.tld2.db.in ns2/bl.tld2.db cp ns2/bl.tld2.db.in ns2/bl.tld2.db
cp ns5/empty.db.in ns5/empty.db cp ns5/empty.db.in ns5/empty.db
cp ns5/empty.db.in ns5/policy2.db cp ns5/empty.db.in ns5/policy2.db
cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db
# Run dnsrpzd to get the license and prime the static policy zones # Run dnsrpzd to get the license and prime the static policy zones
if test -n "$TEST_DNSRPS"; then if test -n "$TEST_DNSRPS"; then

9
bin/tests/system/rpz/tests.sh
View File

@@ -982,6 +982,15 @@ EOF
done done
done done
if [ native = "$mode" ]; then
t=`expr $t + 1`
echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})"
$RNDCCMD $ns3 flush
$RNDCCMD $ns6 flush
$DIG a7-2.tld2s -p ${PORT} @$ns6 +cd > dig.out.${t}
grep -w "1.1.1.1" dig.out.${t} > /dev/null || setret "failed"
fi
[ $status -ne 0 ] && pf=fail || pf=pass [ $status -ne 0 ] && pf=fail || pf=pass
case $mode in case $mode in
native) native)

11
lib/ns/query.c
View File

@@ -3762,7 +3762,7 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
struct in_addr ina; struct in_addr ina;
struct in6_addr in6a; struct in6_addr in6a;
isc_result_t result; isc_result_t result;
unsigned int options = DNS_DBFIND_GLUEOK; unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK;
bool done = false; bool done = false;
CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset"); CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset");
@@ -3823,8 +3823,9 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
* otherwise we are done. * otherwise we are done.
*/ */
if (result == DNS_R_GLUE) { if (result == DNS_R_GLUE) {
options = 0; options = client->query.dboptions;
} else { } else {
options = client->query.dboptions | DNS_DBFIND_GLUEOK;
done = true; done = true;
} }
@@ -4384,7 +4385,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
dns_fixedname_init(&nsnamef); dns_fixedname_init(&nsnamef);
dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
options = DNS_DBFIND_GLUEOK; options = client->query.dboptions | DNS_DBFIND_GLUEOK;
while (st->r.label > st->popt.min_ns_labels) { while (st->r.label > st->popt.min_ns_labels) {
bool was_glue = false; bool was_glue = false;
/* /*
@@ -4510,9 +4511,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
* glue responses, otherwise setup for the next name. * glue responses, otherwise setup for the next name.
*/ */
if (was_glue) { if (was_glue) {
options = 0; options = client->query.dboptions;
} else { } else {
options = DNS_DBFIND_GLUEOK; options = client->query.dboptions | DNS_DBFIND_GLUEOK;
st->r.label--; st->r.label--;
} }