From 3ccfff8ab6bb0d38fa727334d5171221e3c38beb Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 26 Aug 2022 15:38:34 -0700
Subject: [PATCH 1/2] dnstap query_message field was erroneously set with
 responses

The dnstap query_message field was in some cases being filled in
with response messages, along with the response_message field.
The query_message field should only be used when logging requests,
and the response_message field only when logging responses.
---
 lib/dns/dnstap.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c
index e0b81911b4..71525fa88d 100644
--- a/lib/dns/dnstap.c
+++ b/lib/dns/dnstap.c
@@ -807,10 +807,11 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
 		dm.m.response_time_nsec = isc_time_nanoseconds(t);
 		dm.m.has_response_time_nsec = 1;
 
-		cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
-
-		/* Types RR and FR get both query and response times */
-		if (msgtype == DNS_DTTYPE_CR || msgtype == DNS_DTTYPE_AR) {
+		/*
+		 * Types RR and FR can fall through and get the query
+		 * time set as well. Any other response type, break.
+		 */
+		if (msgtype != DNS_DTTYPE_RR && msgtype != DNS_DTTYPE_FR) {
 			break;
 		}
 
@@ -830,8 +831,6 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
 		dm.m.has_query_time_sec = 1;
 		dm.m.query_time_nsec = isc_time_nanoseconds(t);
 		dm.m.has_query_time_nsec = 1;
-
-		cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
 		break;
 	default:
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
@@ -840,6 +839,13 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
 		return;
 	}
 
+	/* Query and response messages */
+	if ((msgtype & DNS_DTTYPE_QUERY) != 0) {
+		cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
+	} else if ((msgtype & DNS_DTTYPE_RESPONSE) != 0) {
+		cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
+	}
+
 	/* Zone/bailiwick */
 	switch (msgtype) {
 	case DNS_DTTYPE_AR:

From fea9751f1372472ce50cd54a96922628c714b248 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 26 Aug 2022 16:01:31 -0700
Subject: [PATCH 2/2] CHANGES for [GL #3501]

---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index 1aa0727d09..730d870e8f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5951.	[bug]		In some cases, the dnstap query_message field was
+			erroneously set when logging response messages.
+			[GL #3501]
+
 5950.	[func]		Implement a feature to set an Extended DNS Error (EDE)
 			code on responses modified by RPZ. [GL #3410]