mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Process learned records as well as glue

Browse Source 
(cherry picked from commit 07c828531c)
This commit is contained in:
Mark Andrews
2022-05-04 15:40:53 +10:00
parent 9b467801ac
commit 83cb796dcd
1 changed files with 95 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
lib/ns/query.c
View File

@@ -2819,7 +2819,7 @@ query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) {
*/ */
static isc_result_t static isc_result_t
rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
dns_rpz_type_t rpz_type, dns_db_t **dbp, unsigned int options, dns_rpz_type_t rpz_type, dns_db_t **dbp,
dns_dbversion_t *version, dns_rdataset_t **rdatasetp, dns_dbversion_t *version, dns_rdataset_t **rdatasetp,
bool resuming) { bool resuming) {
dns_rpz_st_t *st; dns_rpz_st_t *st;
@@ -2888,9 +2888,8 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
found = dns_fixedname_initname(&fixed); found = dns_fixedname_initname(&fixed);
dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfomethods_init(&cm, ns_client_sourceip);
dns_clientinfo_init(&ci, client, NULL, NULL); dns_clientinfo_init(&ci, client, NULL, NULL);
result = dns_db_findext(*dbp, name, version, type, DNS_DBFIND_GLUEOK, result = dns_db_findext(*dbp, name, version, type, options, client->now,
client->now, &node, found, &cm, &ci, *rdatasetp, &node, found, &cm, &ci, *rdatasetp, NULL);
NULL);
if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) { if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
/* /*
* Try the cache if we're authoritative for an * Try the cache if we're authoritative for an
@@ -3633,82 +3632,104 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
struct in_addr ina; struct in_addr ina;
struct in6_addr in6a; struct in6_addr in6a;
isc_result_t result; isc_result_t result;
unsigned int options = DNS_DBFIND_GLUEOK;
bool done = false;
CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset"); CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset");
zbits = rpz_get_zbits(client, ip_type, rpz_type); do {
if (zbits == 0) { zbits = rpz_get_zbits(client, ip_type, rpz_type);
return (ISC_R_SUCCESS); if (zbits == 0) {
} return (ISC_R_SUCCESS);
}
/* /*
* Get the A or AAAA rdataset. * Get the A or AAAA rdataset.
*/ */
result = rpz_rrset_find(client, name, ip_type, rpz_type, ip_dbp, result = rpz_rrset_find(client, name, ip_type, options,
ip_version, ip_rdatasetp, resuming); rpz_type, ip_dbp, ip_version,
switch (result) { ip_rdatasetp, resuming);
case ISC_R_SUCCESS: switch (result) {
case DNS_R_GLUE: case ISC_R_SUCCESS:
case DNS_R_ZONECUT: case DNS_R_GLUE:
break; case DNS_R_ZONECUT:
case DNS_R_EMPTYNAME: break;
case DNS_R_EMPTYWILD: case DNS_R_EMPTYNAME:
case DNS_R_NXDOMAIN: case DNS_R_EMPTYWILD:
case DNS_R_NCACHENXDOMAIN: case DNS_R_NXDOMAIN:
case DNS_R_NXRRSET: case DNS_R_NCACHENXDOMAIN:
case DNS_R_NCACHENXRRSET: case DNS_R_NXRRSET:
case ISC_R_NOTFOUND: case DNS_R_NCACHENXRRSET:
return (ISC_R_SUCCESS); case ISC_R_NOTFOUND:
case DNS_R_DELEGATION: return (ISC_R_SUCCESS);
case DNS_R_DUPLICATE: case DNS_R_DELEGATION:
case DNS_R_DROP: case DNS_R_DUPLICATE:
return (result); case DNS_R_DROP:
case DNS_R_CNAME: return (result);
case DNS_R_DNAME: case DNS_R_CNAME:
rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type, case DNS_R_DNAME:
"NS address rewrite rrset", result); rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name,
return (ISC_R_SUCCESS);
default:
if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
rpz_type, "NS address rewrite rrset", rpz_type, "NS address rewrite rrset",
result); result);
} return (ISC_R_SUCCESS);
CTRACE(ISC_LOG_ERROR, "rpz_rewrite_ip_rrset: unexpected "
"result");
return (DNS_R_SERVFAIL);
}
/*
* Check all of the IP addresses in the rdataset.
*/
for (result = dns_rdataset_first(*ip_rdatasetp);
result == ISC_R_SUCCESS; result = dns_rdataset_next(*ip_rdatasetp))
{
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(*ip_rdatasetp, &rdata);
switch (rdata.type) {
case dns_rdatatype_a:
INSIST(rdata.length == 4);
memmove(&ina.s_addr, rdata.data, 4);
isc_netaddr_fromin(&netaddr, &ina);
break;
case dns_rdatatype_aaaa:
INSIST(rdata.length == 16);
memmove(in6a.s6_addr, rdata.data, 16);
isc_netaddr_fromin6(&netaddr, &in6a);
break;
default: default:
continue; if (client->query.rpz_st->m.policy !=
DNS_RPZ_POLICY_ERROR) {
client->query.rpz_st->m.policy =
DNS_RPZ_POLICY_ERROR;
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
rpz_type,
"NS address rewrite rrset",
result);
}
CTRACE(ISC_LOG_ERROR,
"rpz_rewrite_ip_rrset: unexpected "
"result");
return (DNS_R_SERVFAIL);
} }
result = rpz_rewrite_ip(client, &netaddr, qtype, rpz_type, /*
zbits, p_rdatasetp); * If we are processing glue setup for the next loop
if (result != ISC_R_SUCCESS) { * otherwise we are done.
return (result); */
if (result == DNS_R_GLUE) {
options = 0;
} else {
done = true;
} }
}
/*
* Check all of the IP addresses in the rdataset.
*/
for (result = dns_rdataset_first(*ip_rdatasetp);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(*ip_rdatasetp))
{
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(*ip_rdatasetp, &rdata);
switch (rdata.type) {
case dns_rdatatype_a:
INSIST(rdata.length == 4);
memmove(&ina.s_addr, rdata.data, 4);
isc_netaddr_fromin(&netaddr, &ina);
break;
case dns_rdatatype_aaaa:
INSIST(rdata.length == 16);
memmove(in6a.s6_addr, rdata.data, 16);
isc_netaddr_fromin6(&netaddr, &in6a);
break;
default:
continue;
}
result = rpz_rewrite_ip(client, &netaddr, qtype,
rpz_type, zbits, p_rdatasetp);
if (result != ISC_R_SUCCESS) {
return (result);
}
}
} while (!done &&
client->query.rpz_st->m.policy == DNS_RPZ_POLICY_MISS);
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }
@@ -4246,10 +4267,10 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
if (st->r.ns_rdataset == NULL || if (st->r.ns_rdataset == NULL ||
!dns_rdataset_isassociated(st->r.ns_rdataset)) { !dns_rdataset_isassociated(st->r.ns_rdataset)) {
dns_db_t *db = NULL; dns_db_t *db = NULL;
result = rpz_rrset_find(client, nsname, result = rpz_rrset_find(
dns_rdatatype_ns, client, nsname, dns_rdatatype_ns,
DNS_RPZ_TYPE_NSDNAME, &db, NULL, DNS_DBFIND_GLUEOK, DNS_RPZ_TYPE_NSDNAME, &db,
&st->r.ns_rdataset, resuming); NULL, &st->r.ns_rdataset, resuming);
if (db != NULL) { if (db != NULL) {
dns_db_detach(&db); dns_db_detach(&db);
} }