3897. [bug] RPZ summary information was not properly being updated

after a AXFR resulting in changes sometimes being ignored. [RT #35885]
2025-08-31 06:25:31 +00:00 · 2014-07-22 10:57:58 +10:00
parent a1dee90bfb
commit ac5ed74860
10 changed files with 95 additions and 8 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
+3897.	[bug]		RPZ summary information was not properly being updated
+			after a AXFR resulting in changes sometimes being
+			ignored.  [RT #35885]
+
 3896.	[bug]		Address performance issues with DSCP code on some
 			platforms. [RT #36534]

--- a/bin/tests/system/rpz/clean.sh
+++ b/bin/tests/system/rpz/clean.sh
@@ -20,3 +20,4 @@ rm -f ns3/bl*.db ns*/*switch ns*/empty.db ns*/empty.db.jnl
 rm -f ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
 rm -f */named.memstats */named.run */named.stats */session.key
 rm -f */*.jnl */*.core */*.pid
+rm -f */policy2.db
--- a/bin/tests/system/rpz/ns5/empty.db.in
+++ b/bin/tests/system/rpz/ns5/empty.db.in
@@ -14,11 +14,4 @@

 $TTL	120
@	SOA	.  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
-	NS	ns
-	NS	ns1
-	NS	ns2
-	NS	ns3
-ns	A	10.53.0.5
-ns1	A	10.53.0.5
-ns2	A	10.53.0.6
-ns3	A	10.53.0.6
+	NS	.
--- a/bin/tests/system/rpz/ns5/named.conf
+++ b/bin/tests/system/rpz/ns5/named.conf
@@ -83,3 +83,10 @@ zone "policy1" {
 	allow-update { any; };
 	allow-transfer { any; };
 };
+
+zone "policy2" {
+	type master;
+	file "policy2.db";
+	allow-update { any; };
+	allow-transfer { any; };
+};
--- a/bin/tests/system/rpz/ns7/hints
+++ b/bin/tests/system/rpz/ns7/hints
@@ -0,0 +1,19 @@
+; Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+.	120	NS	ns.
+ns.	120	A	10.53.0.1
--- a/bin/tests/system/rpz/ns7/named.conf
+++ b/bin/tests/system/rpz/ns7/named.conf
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+options {
+	query-source address 10.53.0.7;
+	notify-source 10.53.0.7;
+	transfer-source 10.53.0.7;
+	port 5300;
+	pid-file "named.pid";
+	statistics-file "named.stats";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.7; };
+	listen-on-v6 { none; };
+
+	response-policy { zone "policy2"; } qname-wait-recurse no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.7 port 9953 allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+
+zone "policy2" {
+	type slave;
+	masters { 10.53.0.5; };
+	file "policy2.db";
+	allow-transfer  { any; };
+	request-ixfr no; // force axfr on rndc reload
+};
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -116,3 +116,4 @@ $PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {

 cp ns2/bl.tld2.db.in ns2/bl.tld2.db
 cp ns5/empty.db.in ns5/empty.db
+cp ns5/empty.db.in ns5/policy2.db
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -27,6 +27,7 @@ ns3=$ns.3		# main rewriting resolver
 ns4=$ns.4		# another authoritative server that is rewritten
 ns5=$ns.5		# another rewriting resolver
 ns6=$ns.6		# a forwarding server
+ns7=$ns.7		# another rewriting resolver

 HAVE_CORE=
 SAVE_RESULTS=
@@ -629,5 +630,12 @@ for i in 1 2 3 4 5; do
    nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
 done

+echo "I:checking checking that going from a empty policy zone works"
+nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
+sleep 1
+$RNDCCMD $ns7 reload policy2
+$DIG z.x.servfail -p 5300 @$ns7 > dig.out.ns7
+grep NXDOMAIN dig.out.ns7 > /dev/null || setret I:failed;
+
 echo "I:exit status: $status"
 exit $status
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -248,6 +248,9 @@ dns_rpz_policy2str(dns_rpz_policy_t policy) {
 	case DNS_RPZ_POLICY_WILDCNAME:
 		str = "CNAME";
 		break;
+	case DNS_RPZ_POLICY_MISS:
+		str = "MISS";
+		break;
 	default:
 		str = "";
 		POST(str);
@@ -1653,6 +1656,7 @@ dns_rpz_ready(dns_rpz_zones_t *rpzs,
 	load_rpzs->rbt = rbt;

 	rpzs->total_triggers = load_rpzs->total_triggers;
+	rpzs->have = load_rpzs->have;

 	UNLOCK(&rpzs->search_lock);

--- a/util/copyrights
+++ b/util/copyrights
@@ -1601,6 +1601,8 @@
 ./bin/tests/system/rpz/ns5/tld5.db		ZONE	2013
 ./bin/tests/system/rpz/ns6/hints		ZONE	2014
 ./bin/tests/system/rpz/ns6/named.conf		CONF-C	2014
+./bin/tests/system/rpz/ns7/hints		ZONE	2014
+./bin/tests/system/rpz/ns7/named.conf		CONF-C	2014
 ./bin/tests/system/rpz/prereq.sh		SH	2014
 ./bin/tests/system/rpz/qperf.sh			SH	2012,2013
 ./bin/tests/system/rpz/rpz.c			C	2011,2012,2013