3125. [security] Using wildcard CNAME records as a replacement with

RPZ caused named to exit with a assertion failure. [RT #24715]
2025-08-29 05:28:00 +00:00 · 2011-06-09 00:42:51 +00:00 · 2011-06-09 00:42:51 +00:00 · b64e3b8358
commit b64e3b8358
parent 2a6d60615c
4 changed files with 28 additions and 3 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+3125.	[security]	Using wildcard CNAME records as a replacement with
+			RPZ caused named to exit with a assertion failure.
+			[RT #24715]
+
 3124.	[bug]		Use an rdataset attribute flag to indicate
 			negative-cache records rather than using rrtype 0;
 			this will prevent problems when that rrtype is
--- a/bin/named/query.c
+++ b/bin/named/query.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: query.c,v 1.365 2011/06/08 22:13:50 each Exp $ */
+/* $Id: query.c,v 1.366 2011/06/09 00:42:51 marka Exp $ */

 /*! \file */

@ -5416,6 +5416,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				break;
 			case DNS_RPZ_POLICY_RECORD:
 				if (type == dns_rdatatype_any &&
+				    result != DNS_R_CNAME &&
 				    dns_rdataset_isassociated(rdataset))
 					dns_rdataset_disassociate(rdataset);
 				break;
--- a/bin/tests/system/rpz/ns3/base.db
+++ b/bin/tests/system/rpz/ns3/base.db
@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: base.db,v 1.4 2011/04/27 17:46:47 each Exp $
+; $Id: base.db,v 1.5 2011/06/09 00:42:50 marka Exp $

 ; RPZ test

@ -33,3 +33,4 @@ $TTL	120
 ; for testing rrset replacement
 redirect	IN      A       127.0.0.1
 *.redirect	IN      A       127.0.0.1
+*.cname-redirect	IN      CNAME   google.com.
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.4 2011/04/27 17:46:47 each Exp $
+# $Id: tests.sh,v 1.5 2011/06/09 00:42:51 marka Exp $

 # test response policy zones (RPZ)

@ -223,6 +223,7 @@ $DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD www.cname-redirect -trrsig @$s3 > /dev/null 2>&1

 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then
@ -239,6 +240,24 @@ $DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
+$DIGCMD www.cname-redirect -tsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo "I:failed";
+    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
+ret=0
+echo "I:checking ANY queries"
+# We don't actually care about the query results; the important
+# thing is the server handles SIG queries okay
+$DIGCMD a3-1.tld2 -tany @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -tany @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -tany @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -tany @$s3 > /dev/null 2>&1
+$DIGCMD www.cname-redirect -tany @$s3 > /dev/null 2>&1

 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then