Commit 71f8edcc authored by Evan Hunt's avatar Evan Hunt

[master] fix DNS64 with RPZ-remapped A records

3468.	[security]	RPZ rules to generate A records (but not AAAA records)
			could trigger an assertion failure when used in
			conjunction with DNS64. [RT #32141]
parent c8803902
3467. [bug] Added checks in dnssec-keygen and dnssec-settime to check for
delete date < inactive date. [RT #31719]
3468. [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64. [RT #32141]
3467. [bug] Added checks in dnssec-keygen and dnssec-settime
to check for delete date < inactive date. [RT #31719]
3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check
in DLZ example driver. [RT #32275]
......
......@@ -5991,6 +5991,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
DNS_MESSAGEFLAG_AD);
query_putrdataset(client, &sigrdataset);
rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
rpz_log_rewrite(client, "", rpz_st->m.policy,
rpz_st->m.type, rpz_st->qname);
......@@ -6369,6 +6370,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
rpz_st = client->query.rpz_st;
if (rpz_st != NULL) {
/*
* Arrange for RPZ rewriting of any A records.
*/
if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
is_zone = rpz_st->q.is_zone;
rpz_st_clear(client);
}
dns64 = ISC_TRUE;
goto db_find;
}
......@@ -6637,6 +6647,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
sigrdataset = NULL;
fname = NULL;
type = qtype = dns_rdatatype_a;
rpz_st = client->query.rpz_st;
if (rpz_st != NULL) {
/*
* Arrange for RPZ rewriting of any A records.
*/
if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
is_zone = rpz_st->q.is_zone;
rpz_st_clear(client);
}
dns64 = ISC_TRUE;
goto db_find;
}
......@@ -7148,6 +7167,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
rpz_st = client->query.rpz_st;
if (rpz_st != NULL) {
/*
* Arrange for RPZ rewriting of any A records.
*/
if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
is_zone = rpz_st->q.is_zone;
rpz_st_clear(client);
}
dns64_exclude = dns64 = ISC_TRUE;
goto db_find;
}
......
......@@ -53,3 +53,4 @@ ttl-less-than-600 500 A 5.6.7.8
ttl-more-than-600 700 A 5.6.7.8
ttl-less-than-minimum 1100 A 5.6.7.8
ttl-more-than-minimum 1300 A 5.6.7.8
rpz 1500 A 99.99.99.99
......@@ -56,9 +56,18 @@ options {
dns64 2001:48::/48 { clients { 10.53.0.6; }; };
dns64 2001:56::/56 { clients { 10.53.0.6; }; };
dns64 2001:64::/64 { clients { 10.53.0.6; }; };
dns64 2001:96::/96 { clients { 10.53.0.7; }; };
response-policy { zone "rpz"; };
};
zone "." {
type hint;
file "../../common/root.hint";
};
zone "rpz" {
type master;
file "rpz.db";
};
$TTL 86400 ; 1 day
@ IN SOA rpz. noc.rpz. (
1 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
2592000 ; expire (4 weeks 2 days)
25200 ; minimum (7 hours)
)
NS @
IN A 10.53.0.2
rpz.example IN A 10.10.10.10
......@@ -1352,5 +1352,12 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I: checking synthesis of AAAA from RPZ-remapped A ($n)"
$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment