Commit 64e1429f authored by Evan Hunt's avatar Evan Hunt

Merge branch '1619-rpz-wildcard-passthru-ignored-v9_11' into 'v9_11'

Resolve "RPZ wildcard passthru ignored"

See merge request !3874
parents 51babc2c 4bc9ee18
Pipeline #47712 failed with stages
in 56 minutes and 31 seconds
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
5466. [bug] Fix RPZ wildcard passthru ignored when a rejection
file would overwrite a passthru action matching some
rule in a previously loaded passthru rpz zone.
[GL #1619]
5465. [func] Fallback to built in trust-anchors, managed-keys, or
trusted-keys if the bindkeys-file (bind.keys) cannot
be parsed. [GL #1235]
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ IN SOA ns.example.com. root.example.com. 1 3600 3600 3600 3600
@ NS ns.example.com.
ns.example.com. A 10.53.0.1
@ A 1.2.3.4
www A 1.2.3.5
......@@ -65,3 +65,8 @@ zone "test2.example.net" {
type master;
file "test2.example.net.db";
};
zone "example.com" {
type master;
file "example.com.db";
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$ORIGIN given.zone.
$TTL 3600
@ IN SOA ns.given.zone. hostmaster.given.zone. 1 600 300 604800 3600
IN NS ns.given.zone.
ns IN A 127.0.0.1
; this should be ignores as it matches earlier passthru entry.
example.com CNAME .
; this should be ignored as it matches earlier wildcard passthru entry.
www.example.com CNAME .
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$ORIGIN passthru.zone.
$TTL 3600
@ IN SOA ns.passthru.zone. hostmaster.passthru.zone. 1 600 300 604800 3600
IN NS ns.passthru.zone.
ns IN A 127.0.0.1
example.com CNAME rpz-passthru.
*.example.com CNAME rpz-passthru.
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
# common configuration
include "named.conf.header";
view "recursive" {
# policy configuration to be tested
response-policy {
zone "passthru.zone" policy passthru;
zone "given.zone" policy given;
};
# policy zones to be tested
zone "passthru.zone" { type master; file "db.passthru"; };
zone "given.zone" { type master; file "db.given"; };
zone "." {
type hint;
file "root.hint";
};
recursion yes;
dnssec-validation yes;
};
......@@ -390,5 +390,19 @@ if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo_i "failed"; fi
status=`expr $status + $ret`
t=`expr $t + 1`
echo_i "testing wildcard passthru before explicit drop (${t})"
run_server wildcard4
$DIG $DIGOPTS example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.1
grep "status: NOERROR" dig.out.${t}.1 > /dev/null || {
echo_i "test ${t} failed"
status=1
}
$DIG $DIGOPTS www.example.com a @10.53.0.2 -p ${PORT} > dig.out.${t}.2
grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
echo_i "test ${t} failed"
status=1
}
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -230,6 +230,8 @@ elif [ "$assertion_failures" -ne 0 ]; then
elif [ "$sanitizer_summaries" -ne 0 ]; then
echoinfo "I:$systest:$sanitizer_summaries sanitizer report(s) found"
echofail "R:$systest:FAIL"
elif [ "$status" != 0 ]; then
echofail "R:$systest:FAIL"
else
echopass "R:$systest:PASS"
if $clean; then
......
......@@ -2326,7 +2326,40 @@ dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
case DNS_R_PARTIALMATCH:
i = chain.level_matches;
while (i >= 0 && (nmnode = chain.levels[i]) != NULL) {
nmnode = chain.levels[chain.level_matches];
/* Whenever an exact match is found by dns_rbt_findnode(),
* the highest level node in the chain will not be put into
* chain->levels[] array, but instead the chain->end
* pointer will be adjusted to point to that node.
*
* Suppose we have the following entries in a rpz zone:
* example.com CNAME rpz-passthru.
* *.example.com CNAME rpz-passthru.
*
* A query for www.example.com would result in the
* following chain object returned by dns_rbt_findnode():
* chain->level_count = 2
* chain->level_matches = 2
* chain->levels[0] = .
* chain->levels[1] = example.com
* chain->levels[2] = NULL
* chain->end = www
*
* Since exact matches only care for testing rpz set bits,
* we need to test for rpz wild bits through iterating the
* nodechain, and that includes testing the rpz wild bits in the
* highest level node found. In the case of an exact match,
* chain->levels[chain->level_matches] will be NULL, to address
* that we must use chain->end as the start
* point, then iterate over the remaining levels in the chain.
*/
if (nmnode == NULL) {
--i;
nmnode = chain.end;
}
while (nmnode != NULL) {
nm_data = nmnode->data;
if (nm_data != NULL) {
if (rpz_type == DNS_RPZ_TYPE_QNAME) {
......@@ -2335,7 +2368,13 @@ dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
found_zbits |= nm_data->wild.ns;
}
}
i--;
if (i >= 0) {
nmnode = chain.levels[i];
--i;
} else {
break;
}
}
break;
......
......@@ -2084,6 +2084,7 @@
./bin/tests/system/rpzrecurse/clean.sh SH 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns1/db.l0 ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns1/db.l1.l0 ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns1/example.com.db ZONE 2020
./bin/tests/system/rpzrecurse/ns1/example.db ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns1/named.conf.in CONF-C 2018,2019,2020
./bin/tests/system/rpzrecurse/ns1/root.db ZONE 2015,2016,2018,2019,2020
......@@ -2092,9 +2093,11 @@
./bin/tests/system/rpzrecurse/ns2/db.clientip1 ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/db.clientip2 ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/db.clientip21 ZONE 2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/db.given ZONE 2020
./bin/tests/system/rpzrecurse/ns2/db.log1 ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/db.log2 ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/db.log3 ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/db.passthru ZONE 2020
./bin/tests/system/rpzrecurse/ns2/db.wildcard1 ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/db.wildcard2a ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/db.wildcard2b ZONE 2015,2016,2018,2019,2020
......@@ -2107,6 +2110,7 @@
./bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf CONF-C 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf CONF-C 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf CONF-C 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns2/named.wildcard4.conf CONF-C 2020
./bin/tests/system/rpzrecurse/ns2/root.hint ZONE 2015,2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns3/example.db ZONE 2016,2018,2019,2020
./bin/tests/system/rpzrecurse/ns3/named1.conf.in CONF-C 2016,2018,2019,2020
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment