Commit 44b0e0b1 authored by Mark Andrews's avatar Mark Andrews
Browse files

More changes for:

3864.   [bug]           RPZ didn't work well when being used as forwarder.
                        [RT #36060]
parent a4d76e3f
......@@ -6103,6 +6103,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
isc_boolean_t resuming;
int line = -1;
isc_boolean_t dns64_exclude, dns64;
isc_boolean_t nxrewrite = ISC_FALSE;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
......@@ -6608,29 +6609,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rpz_st->p_name, NULL);
goto cleanup;
case DNS_RPZ_POLICY_NXDOMAIN:
client->message->rcode = dns_rcode_nxdomain;
/*
* Don't fall through as it will add a SOA
* for the black list zone which breaks
* sanity checking of result by nameservers.
*/
client->message->rcode = dns_rcode_nxdomain;
rpz_log_rewrite(client, ISC_FALSE,
rpz_st->m.policy,
rpz_st->m.type, zone,
rpz_st->p_name, NULL);
goto cleanup;
result = DNS_R_NXDOMAIN;
nxrewrite = ISC_TRUE;
break;
case DNS_RPZ_POLICY_NODATA:
/*
* Don't fall through as it will add a SOA
* for the black list zone which breaks
* sanity checking of result by nameservers.
*/
rpz_log_rewrite(client, ISC_FALSE,
rpz_st->m.policy,
rpz_st->m.type, zone,
rpz_st->p_name, NULL);
goto cleanup;
result = DNS_R_NXRRSET;
nxrewrite = ISC_TRUE;
break;
case DNS_RPZ_POLICY_RECORD:
result = rpz_st->m.result;
if (qtype == dns_rdatatype_any &&
......@@ -7174,15 +7159,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
*/
query_releasename(client, &fname);
}
/*
* Add SOA.
* Add SOA if NXRRSET was not generated by RPZ rewrite
*/
result = query_addsoa(client, db, version, ISC_UINT32_MAX,
dns_rdataset_isassociated(rdataset));
if (result != ISC_R_SUCCESS) {
QUERY_ERROR(result);
goto cleanup;
if (!nxrewrite) {
isc_boolean_t associated =
dns_rdataset_isassociated(rdataset);
result = query_addsoa(client, db, version,
ISC_UINT32_MAX, associated);
if (result != ISC_R_SUCCESS) {
QUERY_ERROR(result);
goto cleanup;
}
}
/*
* Add NSEC record if we found one.
*/
......@@ -7221,17 +7212,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
/*
* Add SOA. If the query was for a SOA record force the
* Add SOA if NXDOMAIN was not generated by RPZ rewrite.
*
* If the query was for a SOA record force the
* ttl to zero so that it is possible for clients to find
* the containing zone of an arbitrary name with a stub
* resolver and not have it cached.
*/
if (qtype == dns_rdatatype_soa &&
zone != NULL &&
dns_zone_getzeronosoattl(zone))
if (!nxrewrite && qtype == dns_rdatatype_soa &&
zone != NULL && dns_zone_getzeronosoattl(zone))
result = query_addsoa(client, db, version, 0,
dns_rdataset_isassociated(rdataset));
else
else if (!nxrewrite)
result = query_addsoa(client, db, version,
ISC_UINT32_MAX,
dns_rdataset_isassociated(rdataset));
......
......@@ -1282,6 +1282,7 @@ do
done
echo "I: checking dns64-server and dns64-contact ($n)"
ret=0
$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
......@@ -1289,6 +1290,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking TTL less than 600 from zone ($n)"
ret=0
#expect 500
$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
......@@ -1297,6 +1299,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking TTL more than 600 from zone ($n)"
ret=0
#expect 700
$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
......@@ -1305,6 +1308,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking TTL less than minimum from zone ($n)"
ret=0
#expect 1100
$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
......@@ -1313,6 +1317,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking TTL limited to minimum from zone ($n)"
ret=0
#expect 1200
$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
......@@ -1321,6 +1326,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking TTL less than 600 via cache ($n)"
ret=0
#expect 500
$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1
grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
......@@ -1329,6 +1335,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking TTL more than 600 via cache ($n)"
ret=0
#expect 700
$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
......@@ -1337,6 +1344,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking TTL less than minimum via cache ($n)"
ret=0
#expect 1100
$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
......@@ -1345,6 +1353,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking TTL limited to minimum via cache ($n)"
ret=0
#expect 1200
$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
......@@ -1353,6 +1362,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking synthesis of AAAA from RPZ-remapped A ($n)"
ret=0
$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1
n=`expr $n + 1`
......
......@@ -360,7 +360,7 @@ nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
drop a3-8.tld2 any @$ns6 # 20 drop
end_group
ckstats $ns3 test1 ns3 23
ckstats $ns3 test1 ns3 22
ckstats $ns5 test1 ns5 0
ckstats $ns6 test1 ns6 0
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment