Fix RPZ bugs related to wildcard triggers (#40357)

CHANGES

@@ -1,3 +1,19 @@
+4186.	[bug]		Fixed an RPZ bug where a QNAME would be matched
+			against a policy RR with wildcard owner name
+			(trigger) where the QNAME was the wildcard owner
+			name's parent. For example, the bug caused a query
+			with QNAME "example.com" to match a policy RR with
+			"*.example.com" as trigger. [RT #40357]
+
+4185.	[bug]		Fixed an RPZ bug where a policy RR with wildcard
+			owner name (trigger) would prevent another policy RR
+			with its parent owner name from being
+			loaded. For example, the bug caused a policy RR
+			with trigger "example.com" to not have any
+			effect when a previous policy RR with trigger
+			"*.example.com" existed in that RPZ zone.
+			[RT #40357]
+
 4184.	[bug]		Fixed a possible memory leak in name compression
 			when rendering long messages. (Also, improved
 			wire_test for testing such messages.) [RT #40375]

bin/named/query.c

@@ -4941,16 +4941,14 @@ rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name,
 	rpzs = client->view->rpzs;
 
 	/*
-	 * If there is only one eligible policy zone, just check it.
+	 * Use the summary database to find the bit mask of policy zones
-	 * If more than one, then use the summary database to find
+	 * with policies for this trigger name. We do this even if there
-	 * the bit mask of policy zones with policies for this trigger name.
+	 * is only one eligible policy zone so that wildcard triggers
-	 *	x&(~x+1) is the least significant bit set in x
+	 * are matched correctly, and not into their parent.
 	 */
-	if (zbits != (zbits & (~zbits + 1))) {
 	zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name);
 	if (zbits == 0)
 		return (ISC_R_SUCCESS);
-	}
 
 	dns_fixedname_init(&p_namef);
 	p_name = dns_fixedname_name(&p_namef);

bin/tests/system/rpzrecurse/ns1/named.conf

@@ -50,3 +50,13 @@ zone "l2.l1.l0" {
 	type master;
 	file "does-not-exist";
 };
+
+zone "test1.example.net" {
+     type master;
+     file "test1.example.net.db";
+};
+
+zone "test2.example.net" {
+     type master;
+     file "test2.example.net.db";
+};

bin/tests/system/rpzrecurse/ns1/test1.example.net.db

@@ -0,0 +1,20 @@
+; Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 3600
+@ IN SOA root.example. example. 1 3600 3600 3600 3600
+@			NS	ns.example.
+ns.example.             A       10.53.0.1
+test1.example.net.	A	1.2.3.4
+www.test1.example.net.	A	5.6.7.8

bin/tests/system/rpzrecurse/ns1/test2.example.net.db

@@ -0,0 +1,20 @@
+; Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 3600
+@ IN SOA root.example. example. 1 3600 3600 3600 3600
+@			NS	ns.example.
+ns.example.             A       10.53.0.1
+test2.example.net.	A	8.7.6.5
+www.test2.example.net.	A	4.3.2.1

bin/tests/system/rpzrecurse/ns2/db.wildcard1

@@ -0,0 +1,20 @@
+; Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .
+test1.example.net CNAME .

bin/tests/system/rpzrecurse/ns2/db.wildcard2a

@@ -0,0 +1,20 @@
+; Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .
+test1.example.net CNAME .

bin/tests/system/rpzrecurse/ns2/db.wildcard2b

@@ -0,0 +1,20 @@
+; Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+*.test2.example.net CNAME .
+test2.example.net CNAME .

bin/tests/system/rpzrecurse/ns2/db.wildcard3

@@ -0,0 +1,19 @@
+; Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .

bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf

@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "wildcard1" policy NXDOMAIN;
+    };
+
+    # policy zones to be tested
+    zone "wildcard1" { type master; file "db.wildcard1"; };
+};

bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "wildcard2a" policy NXDOMAIN;
+	zone "wildcard2b" policy NXDOMAIN;
+    };
+
+    # policy zones to be tested
+    zone "wildcard2a" { type master; file "db.wildcard2a"; };
+    zone "wildcard2b" { type master; file "db.wildcard2b"; };
+};

bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf

@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    # policy configuration to be tested
+    response-policy {
+	zone "wildcard3" policy NXDOMAIN;
+    };
+
+    # policy zones to be tested
+    zone "wildcard3" { type master; file "db.wildcard3"; };
+};

bin/tests/system/rpzrecurse/tests.sh

@@ -266,4 +266,48 @@ sed -n "$cur,"'$p' < ns2/named.run | grep "view recursive: rpz CLIENT-IP Local-D
     status=1
 }
 
+# Check wildcard behavior
+
+t=`expr $t + 1`
+echo "I:testing wildcard behavior with 1 RPZ zone (${t})"
+run_server wildcard1
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+    echo "I:test ${t} failed"
+    status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || {
+    echo "I:test ${t} failed"
+    status=1
+}
+
+t=`expr $t + 1`
+echo "I:testing wildcard behavior with 2 RPZ zones (${t})"
+run_server wildcard2
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+    echo "I:test ${t} failed"
+    status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || {
+    echo "I:test ${t} failed"
+    status=1
+}
+
+t=`expr $t + 1`
+echo "I:testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
+run_server wildcard3
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+    echo "I:test ${t} failed"
+    status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2
+grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
+    echo "I:test ${t} failed"
+    status=1
+}
+
 exit $status

lib/dns/rbtdb.c

@@ -7002,16 +7002,17 @@ static isc_result_t
 loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
 	 isc_boolean_t hasnsec)
 {
-	isc_result_t noderesult, nsecresult, tmpresult;
+	isc_result_t noderesult, rpzresult, nsecresult, tmpresult;
 	dns_rbtnode_t *nsecnode = NULL, *node = NULL;
 
 	noderesult = dns_rbt_addnode(rbtdb->tree, name, &node);
-	if (rbtdb->rpzs != NULL && noderesult == ISC_R_SUCCESS) {
+	if (rbtdb->rpzs != NULL &&
-		noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num,
+	    (noderesult == ISC_R_SUCCESS || noderesult == ISC_R_EXISTS)) {
+		rpzresult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num,
 					name);
-		if (noderesult == ISC_R_SUCCESS) {
+		if (rpzresult == ISC_R_SUCCESS) {
 			node->rpz = 1;
-		} else  {
+		} else if (noderesult != ISC_R_EXISTS) {
 			/*
 			 * Remove the node we just added above.
 			 */

lib/dns/rpz.c

@@ -1342,12 +1342,9 @@ add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 	isc_result_t result;
 
 	/*
-	 * No need for a summary database of names with only 1 policy zone.
+	 * We need a summary database of names even with 1 policy zone,
+	 * because wildcard triggers are handled differently.
 	 */
-	if (rpzs->p.num_zones <= 1) {
-		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE);
-		return (ISC_R_SUCCESS);
-	}
 
 	dns_fixedname_init(&trig_namef);
 	trig_name = dns_fixedname_name(&trig_namef);
@@ -2019,12 +2016,9 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 	isc_result_t result;
 
 	/*
-	 * No need for a summary database of names with only 1 policy zone.
+	 * We need a summary database of names even with 1 policy zone,
+	 * because wildcard triggers are handled differently.
 	 */
-	if (rpzs->p.num_zones <= 1) {
-		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
-		return;
-	}
 
 	dns_fixedname_init(&trig_namef);
 	trig_name = dns_fixedname_name(&trig_namef);