diff --git a/CHANGES b/CHANGES index 65bbbdf2ef..d1522b072f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,19 @@ +4186. [bug] Fixed an RPZ bug where a QNAME would be matched + against a policy RR with wildcard owner name + (trigger) where the QNAME was the wildcard owner + name's parent. For example, the bug caused a query + with QNAME "example.com" to match a policy RR with + "*.example.com" as trigger. [RT #40357] + +4185. [bug] Fixed an RPZ bug where a policy RR with wildcard + owner name (trigger) would prevent another policy RR + with its parent owner name from being + loaded. For example, the bug caused a policy RR + with trigger "example.com" to not have any + effect when a previous policy RR with trigger + "*.example.com" existed in that RPZ zone. + [RT #40357] + 4184. [bug] Fixed a possible memory leak in name compression when rendering long messages. (Also, improved wire_test for testing such messages.) [RT #40375] diff --git a/bin/named/query.c b/bin/named/query.c index cfd414fd46..c3ea5e011e 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -4941,16 +4941,14 @@ rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name, rpzs = client->view->rpzs; /* - * If there is only one eligible policy zone, just check it. - * If more than one, then use the summary database to find - * the bit mask of policy zones with policies for this trigger name. - * x&(~x+1) is the least significant bit set in x + * Use the summary database to find the bit mask of policy zones + * with policies for this trigger name. We do this even if there + * is only one eligible policy zone so that wildcard triggers + * are matched correctly, and not into their parent. */ - if (zbits != (zbits & (~zbits + 1))) { - zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name); - if (zbits == 0) - return (ISC_R_SUCCESS); - } + zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name); + if (zbits == 0) + return (ISC_R_SUCCESS); dns_fixedname_init(&p_namef); p_name = dns_fixedname_name(&p_namef); diff --git a/bin/tests/system/rpzrecurse/ns1/named.conf b/bin/tests/system/rpzrecurse/ns1/named.conf index 00ca3c133f..6fa82e92cd 100644 --- a/bin/tests/system/rpzrecurse/ns1/named.conf +++ b/bin/tests/system/rpzrecurse/ns1/named.conf @@ -50,3 +50,13 @@ zone "l2.l1.l0" { type master; file "does-not-exist"; }; + +zone "test1.example.net" { + type master; + file "test1.example.net.db"; +}; + +zone "test2.example.net" { + type master; + file "test2.example.net.db"; +}; diff --git a/bin/tests/system/rpzrecurse/ns1/test1.example.net.db b/bin/tests/system/rpzrecurse/ns1/test1.example.net.db new file mode 100644 index 0000000000..eca9f39146 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/test1.example.net.db @@ -0,0 +1,20 @@ +; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 3600 +@ IN SOA root.example. example. 1 3600 3600 3600 3600 +@ NS ns.example. +ns.example. A 10.53.0.1 +test1.example.net. A 1.2.3.4 +www.test1.example.net. A 5.6.7.8 diff --git a/bin/tests/system/rpzrecurse/ns1/test2.example.net.db b/bin/tests/system/rpzrecurse/ns1/test2.example.net.db new file mode 100644 index 0000000000..cb08d98476 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns1/test2.example.net.db @@ -0,0 +1,20 @@ +; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 3600 +@ IN SOA root.example. example. 1 3600 3600 3600 3600 +@ NS ns.example. +ns.example. A 10.53.0.1 +test2.example.net. A 8.7.6.5 +www.test2.example.net. A 4.3.2.1 diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard1 b/bin/tests/system/rpzrecurse/ns2/db.wildcard1 new file mode 100644 index 0000000000..8cbd234161 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard1 @@ -0,0 +1,20 @@ +; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +*.test1.example.net CNAME . +test1.example.net CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard2a b/bin/tests/system/rpzrecurse/ns2/db.wildcard2a new file mode 100644 index 0000000000..8cbd234161 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard2a @@ -0,0 +1,20 @@ +; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +*.test1.example.net CNAME . +test1.example.net CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard2b b/bin/tests/system/rpzrecurse/ns2/db.wildcard2b new file mode 100644 index 0000000000..7dbf9a2dec --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard2b @@ -0,0 +1,20 @@ +; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +*.test2.example.net CNAME . +test2.example.net CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/db.wildcard3 b/bin/tests/system/rpzrecurse/ns2/db.wildcard3 new file mode 100644 index 0000000000..44d4e45cf7 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/db.wildcard3 @@ -0,0 +1,19 @@ +; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +$TTL 60 +@ IN SOA root.ns ns 1996072700 3600 1800 86400 60 + NS ns +ns A 127.0.0.1 +*.test1.example.net CNAME . diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf new file mode 100644 index 0000000000..8daa601406 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "wildcard1" policy NXDOMAIN; + }; + + # policy zones to be tested + zone "wildcard1" { type master; file "db.wildcard1"; }; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf new file mode 100644 index 0000000000..ede9ab754e --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "wildcard2a" policy NXDOMAIN; + zone "wildcard2b" policy NXDOMAIN; + }; + + # policy zones to be tested + zone "wildcard2a" { type master; file "db.wildcard2a"; }; + zone "wildcard2b" { type master; file "db.wildcard2b"; }; +}; diff --git a/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf b/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf new file mode 100644 index 0000000000..896dbeb8a2 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +# common configuration +include "named.conf.header"; + +view "recursive" { + zone "." { + type hint; + file "root.hint"; + }; + + # policy configuration to be tested + response-policy { + zone "wildcard3" policy NXDOMAIN; + }; + + # policy zones to be tested + zone "wildcard3" { type master; file "db.wildcard3"; }; +}; diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh index 9a6f7f1bc2..759fc3cbed 100644 --- a/bin/tests/system/rpzrecurse/tests.sh +++ b/bin/tests/system/rpzrecurse/tests.sh @@ -266,4 +266,48 @@ sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-D status=1 } +# Check wildcard behavior + +t=`expr $t + 1` +echo "I:testing wildcard behavior with 1 RPZ zone (${t})" +run_server wildcard1 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo "I:test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2 +grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + echo "I:test ${t} failed" + status=1 +} + +t=`expr $t + 1` +echo "I:testing wildcard behavior with 2 RPZ zones (${t})" +run_server wildcard2 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo "I:test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2 +grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || { + echo "I:test ${t} failed" + status=1 +} + +t=`expr $t + 1` +echo "I:testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})" +run_server wildcard3 +$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1 +grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || { + echo "I:test ${t} failed" + status=1 +} +$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2 +grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { + echo "I:test ${t} failed" + status=1 +} + exit $status diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 3a454c310e..f63c7ae252 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -7002,16 +7002,17 @@ static isc_result_t loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep, isc_boolean_t hasnsec) { - isc_result_t noderesult, nsecresult, tmpresult; + isc_result_t noderesult, rpzresult, nsecresult, tmpresult; dns_rbtnode_t *nsecnode = NULL, *node = NULL; noderesult = dns_rbt_addnode(rbtdb->tree, name, &node); - if (rbtdb->rpzs != NULL && noderesult == ISC_R_SUCCESS) { - noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num, - name); - if (noderesult == ISC_R_SUCCESS) { + if (rbtdb->rpzs != NULL && + (noderesult == ISC_R_SUCCESS || noderesult == ISC_R_EXISTS)) { + rpzresult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num, + name); + if (rpzresult == ISC_R_SUCCESS) { node->rpz = 1; - } else { + } else if (noderesult != ISC_R_EXISTS) { /* * Remove the node we just added above. */ diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c index 551b19ff49..3a79828a25 100644 --- a/lib/dns/rpz.c +++ b/lib/dns/rpz.c @@ -1342,12 +1342,9 @@ add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, isc_result_t result; /* - * No need for a summary database of names with only 1 policy zone. + * We need a summary database of names even with 1 policy zone, + * because wildcard triggers are handled differently. */ - if (rpzs->p.num_zones <= 1) { - adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE); - return (ISC_R_SUCCESS); - } dns_fixedname_init(&trig_namef); trig_name = dns_fixedname_name(&trig_namef); @@ -2019,12 +2016,9 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, isc_result_t result; /* - * No need for a summary database of names with only 1 policy zone. + * We need a summary database of names even with 1 policy zone, + * because wildcard triggers are handled differently. */ - if (rpzs->p.num_zones <= 1) { - adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE); - return; - } dns_fixedname_init(&trig_namef); trig_name = dns_fixedname_name(&trig_namef);