3125. [security] Using wildcard CNAME records as a replacement with

RPZ caused named to exit with a assertion failure. [RT #24715]
2025-09-01 23:25:38 +00:00 · 2011-06-09 00:42:51 +00:00
parent 2a6d60615c
commit b64e3b8358
4 changed files with 28 additions and 3 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
 3125.	[security]	Using wildcard CNAME records as a replacement with
 			RPZ caused named to exit with a assertion failure.
 			[RT #24715]
 3124.	[bug]		Use an rdataset attribute flag to indicate
 			negative-cache records rather than using rrtype 0;
 			this will prevent problems when that rrtype is
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: query.c,v 1.365 2011/06/08 22:13:50 each Exp $ */
+/* $Id: query.c,v 1.366 2011/06/09 00:42:51 marka Exp $ */
 /*! \file */
@@ -5416,6 +5416,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				break;
 			case DNS_RPZ_POLICY_RECORD:
 				if (type == dns_rdatatype_any &&
 				    result != DNS_R_CNAME &&
 				    dns_rdataset_isassociated(rdataset))
 					dns_rdataset_disassociate(rdataset);
 				break;
--- a/bin/tests/system/rpz/ns3/base.db
+++ b/bin/tests/system/rpz/ns3/base.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
-; $Id: base.db,v 1.4 2011/04/27 17:46:47 each Exp $
+; $Id: base.db,v 1.5 2011/06/09 00:42:50 marka Exp $
 ; RPZ test
@@ -33,3 +33,4 @@ $TTL	120
 ; for testing rrset replacement
 redirect	IN      A       127.0.0.1
 *.redirect	IN      A       127.0.0.1
 *.cname-redirect	IN      CNAME   google.com.
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.4 2011/04/27 17:46:47 each Exp $
+# $Id: tests.sh,v 1.5 2011/06/09 00:42:51 marka Exp $
 # test response policy zones (RPZ)
@@ -223,6 +223,7 @@ $DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD www.cname-redirect -trrsig @$s3 > /dev/null 2>&1
 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then
@@ -239,6 +240,24 @@ $DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
 $DIGCMD www.cname-redirect -tsig @$s3 > /dev/null 2>&1
 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then
    echo "I:failed";
    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
 fi
 status=`expr $status + $ret`
 ret=0
 echo "I:checking ANY queries"
 # We don't actually care about the query results; the important
 # thing is the server handles SIG queries okay
 $DIGCMD a3-1.tld2 -tany @$s3 > /dev/null 2>&1
 $DIGCMD a3-2.tld2 -tany @$s3 > /dev/null 2>&1
 $DIGCMD a3-5.tld2 -tany @$s3 > /dev/null 2>&1
 $DIGCMD www.redirect -tany @$s3 > /dev/null 2>&1
 $DIGCMD www.cname-redirect -tany @$s3 > /dev/null 2>&1
 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then