3008. [func] Response policy zones (RPZ) support. [RT #21726]

87708bde · Mark Andrews · 100b7874 · 87708bde · 87708bde · 87708bde
Commit 87708bde authored Jan 13, 2011 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
+3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
+
 3007.	[bug]		Named failed to preserve the case of domain names in
 			rdata which is no compressable when writing master
 			files.  [RT #22863]

--- a/bin/named/include/named/query.h
+++ b/bin/named/include/named/query.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: query.h,v 1.43 2010/12/08 02:46:15 marka Exp $ */
+/* $Id: query.h,v 1.44 2011/01/13 01:59:25 marka Exp $ */

 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
@@ -26,8 +26,9 @@
 #include <isc/buffer.h>
 #include <isc/netaddr.h>

-#include <dns/types.h>
 #include <dns/rdataset.h>
+#include <dns/rpz.h>
+#include <dns/types.h>

 #include <named/types.h>

@@ -35,6 +36,7 @@
 typedef struct ns_dbversion {
 	dns_db_t			*db;
 	dns_dbversion_t			*version;
+	isc_boolean_t			acl_checked;
 	isc_boolean_t			queryok;
 	ISC_LINK(struct ns_dbversion)	link;
 } ns_dbversion_t;
@@ -55,6 +57,7 @@ struct ns_query {
 	isc_boolean_t			isreferral;
 	isc_mutex_t			fetchlock;
 	dns_fetch_t *			fetch;
+	dns_rpz_st_t *			rpz_st;
 	isc_bufferlist_t		namebufs;
 	ISC_LIST(ns_dbversion_t)	activeversions;
 	ISC_LIST(ns_dbversion_t)	freeversions;

--- a/bin/named/query.c
+++ b/bin/named/query.c
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.c,v 1.597 2011/01/11 23:47:12 tbox Exp $ */
+/* $Id: server.c,v 1.598 2011/01/13 01:59:25 marka Exp $ */

 /*! \file */

@@ -1438,6 +1438,114 @@ cleanup:
 	return (result);
 }

+static isc_result_t
+configure_rpz(dns_view_t *view, const cfg_listelt_t *element) {
+	const cfg_obj_t *rpz_obj, *policy_obj;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *origin;
+	dns_rpz_zone_t *old, *new;
+	dns_zone_t *zone;
+	isc_result_t result;
+	unsigned int l1, l2;
+
+	new = isc_mem_get(view->mctx, sizeof(*new));
+	if (new == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	memset(new, 0, sizeof(*new));
+	dns_name_init(&new->nsdname, NULL);
+	dns_name_init(&new->origin, NULL);
+	dns_name_init(&new->cname, NULL);
+	ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
+
+	rpz_obj = cfg_listelt_value(element);
+	policy_obj = cfg_tuple_get(rpz_obj, "policy");
+	if (cfg_obj_isvoid(policy_obj)) {
+		new->policy = DNS_RPZ_POLICY_GIVEN;
+	} else {
+		str = cfg_obj_asstring(policy_obj);
+		new->policy = dns_rpz_str2policy(str);
+		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
+	}
+
+	dns_fixedname_init(&fixed);
+	origin = dns_fixedname_name(&fixed);
+	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "name"));
+	result = dns_name_fromstring(origin, str, DNS_NAME_DOWNCASE, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+		goto cleanup;
+	}
+
+	result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
+				      origin, DNS_NAME_DOWNCASE, view->mctx);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+		goto cleanup;
+	}
+
+	/*
+	 * The origin is part of 'nsdname' so we don't need to keep it
+	 * seperately.
+	 */
+	l1 = dns_name_countlabels(&new->nsdname);
+	l2 = dns_name_countlabels(origin);
+	dns_name_getlabelsequence(&new->nsdname, l1 - l2, l2, &new->origin);
+
+	/*
+	 * Are we configured to with the reponse policy zone?
+	 */
+	result = dns_view_findzone(view, &new->origin, &zone);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "unknown zone '%s'", str);
+		goto cleanup;
+	}
+
+	if (dns_zone_gettype(zone) != dns_zone_master &&
+	    dns_zone_gettype(zone) != dns_zone_slave) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			     "zone '%s' is neither master nor slave", str);
+		dns_zone_detach(&zone);
+		result = DNS_R_NOTMASTER;
+		goto cleanup;
+	}
+	dns_zone_detach(&zone);
+
+	for (old = ISC_LIST_HEAD(view->rpz_zones);
+	     old != new;
+	     old = ISC_LIST_NEXT(old, link)) {
+		++new->num;
+		if (dns_name_equal(&old->origin, &new->origin)) {
+			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+				    "duplicate '%s'", str);
+			result = DNS_R_DUPLICATE;
+			goto cleanup;
+		}
+	}
+
+	if (new->policy == DNS_RPZ_POLICY_CNAME) {
+		str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "cname"));
+		result = dns_name_fromstring(&new->cname, str, 0, view->mctx);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+				    "invalid cname '%s'", str);
+			goto cleanup;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_rpz_view_destroy(view);
+	return (result);
+}
+
 /*
 * Configure 'view' according to 'vconfig', taking defaults from 'config'
 * where values are missing in 'vconfig'.
@@ -2781,6 +2889,29 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 		}
 	}

+	/*
+	 * Make the list of response policy zone names for views that
+	 * are used for real lookups and so care about hints.
+	 */
+	zonelist = NULL;
+	if (view->rdclass == dns_rdataclass_in && need_hints) {
+		obj = NULL;
+		result = ns_config_get(maps, "response-policy", &obj);
+		if (result == ISC_R_SUCCESS)
+			cfg_map_get(obj, "zone", &zonelist);
+	}
+	if (zonelist != NULL) {
+
+		for (element = cfg_list_first(zonelist);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			result = configure_rpz(view, element);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			dns_rpz_set_need(ISC_TRUE);
+		}
+	}
+
 	result = ISC_R_SUCCESS;

 cleanup:

--- a/bin/tests/system/Makefile.in
+++ b/bin/tests/system/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: Makefile.in,v 1.33 2010/06/23 23:46:58 tbox Exp $
+# $Id: Makefile.in,v 1.34 2011/01/13 01:59:25 marka Exp $

 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,7 +21,7 @@ top_srcdir =	@top_srcdir@

 @BIND9_MAKE_INCLUDES@

-SUBDIRS =	filter-aaaa lwresd tkey 
+SUBDIRS =	filter-aaaa lwresd rpz tkey
 TARGETS =

 @BIND9_MAKE_RULES@

--- a/bin/tests/system/README
+++ b/bin/tests/system/README
@@ -17,6 +17,7 @@ involving a different DNS setup.  They are:
  nsupdate/	Dynamic update and IXFR tests
  resolver/     Regression tests for resolver bugs that have been fixed
 		(not a complete resolver test suite)
+  rpz/		Tests of response policy zone (RPZ) rewriting
  stub/		Tests of stub zone functionality
  unknown/	Unknown type and class tests
  upforwd/	Update forwarding tests
@@ -57,4 +58,4 @@ The tests can be run individually like this:

 To run all the tests, just type "make test".

-$Id: README,v 1.14 2010/08/25 23:46:37 tbox Exp $
+$Id: README,v 1.15 2011/01/13 01:59:25 marka Exp $
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: conf.sh.in,v 1.57 2010/12/23 04:07:59 marka Exp $
+# $Id: conf.sh.in,v 1.58 2011/01/13 01:59:26 marka Exp $

 #
 # Common configuration data for system tests, to be sourced into
@@ -55,7 +55,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
 SUBDIRS="acl allow_query addzone autosign cacheclean checkconf checknames
    dlv @DLZ_SYSTEM_TEST@ dlzexternal dns64 dnssec forward glue gost ixfr limits
    lwresd masterfile masterformat metadata notify nsupdate pending pkcs11
-    resolver rrsetorder sortlist smartsign staticstub stub tkey
+    resolver rpz rrsetorder sortlist smartsign staticstub stub tkey
    tsig tsiggss unknown upforwd views xfer xferquota zonechecks"

 # PERL will be an empty string if no perl interpreter was found.

--- a/bin/tests/system/rpz/Makefile.in
+++ b/bin/tests/system/rpz/Makefile.in
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2011/01/13 01:59:26 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =
+ISCLIBS =	.
+
+DNSDEPLIBS =
+ISCDEPLIBS =
+
+DEPLIBS =
+
+LIBS =		@LIBS@
+
+TARGETS =	rpz@EXEEXT@
+
+RPZOBJS =	rpz.@O@
+
+SRCS =		rpz.c
+
+@BIND9_MAKE_RULES@
+
+all: rpz@EXEEXT@
+
+rpz@EXEEXT@: ${RPZOBJS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${RPZOBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
--- a/bin/tests/system/rpz/clean.sh
+++ b/bin/tests/system/rpz/clean.sh
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2 2011/01/13 01:59:26 marka Exp $
+
+
+# Clean up after rpz tests.
+
+rm -f dig.out* nsupdate.tmp
+rm -f  */named.memstats */named.run */session.key
+rm -f ns3/bl*.db */*.jnl
--- a/bin/tests/system/rpz/ns1/named.conf
+++ b/bin/tests/system/rpz/ns1/named.conf
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2011/01/13 01:59:26 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	session-keyfile "session.key";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	notify no;
+};
+
+zone "." {type master; file "root.db";};
--- a/bin/tests/system/rpz/ns1/root.db
+++ b/bin/tests/system/rpz/ns1/root.db
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2 2011/01/13 01:59:26 marka Exp $
+
+$TTL	120
+@		SOA	s1. hostmaster.ns.s1. ( 1 3600 1200 604800 60 )
+@		NS	s1
+s1.		A	10.53.0.1
+
+; rewrite responses from this zone
+tld2.		NS	ns.tld2.
+ns.tld2.	A	10.53.0.2
+
+; requests come from here
+tld3.		NS	ns.tld3.
+ns.tld3.	A	10.53.0.3
--- a/bin/tests/system/rpz/ns2/hints
+++ b/bin/tests/system/rpz/ns2/hints
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2 2011/01/13 01:59:26 marka Exp $
+
+.	0	NS	s1.
+s1.	0	A	10.53.0.1
--- a/bin/tests/system/rpz/ns2/named.conf
+++ b/bin/tests/system/rpz/ns2/named.conf
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2011/01/13 01:59:26 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	notify no;
+};
+
+zone "." { type hint; file "hints"; };
+
+zone "tld2." {type master; file "tld2.db";};
+zone "sub1.tld2." {type master; file "tld2.db";};
+zone "sub2.sub1.tld2." {type master; file "tld2.db";};
--- a/bin/tests/system/rpz/ns2/tld2.db
+++ b/bin/tests/system/rpz/ns2/tld2.db
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: tld2.db,v 1.2 2011/01/13 01:59:26 marka Exp $
+
+; RPZ rewrite responses from this zone
+
+$TTL	120
+@		SOA	tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+		NS	@
+		A	10.53.0.2
+
+nodata		TXT	"nodata"
+a12		A	12.12.12.12
+
+a0-1		A	192.168.0.1
+		AAAA	2001:2::1
+		TXT	"a0-1 text"
+
+a3-1		A	192.168.3.1
+		AAAA	2001:2:3::1
+		TXT	"a3-1 text"
+
+a3-2		A	192.168.3.2
+		AAAA	2001:2:3::2
+		TXT	"a3-2 text"
+
+a4-1		A	192.168.4.1
+		AAAA	2001:2:4::1
+		TXT	"a4-1 text"
+a4-1-aaaa	AAAA	2001:2:4::1
+
+a4-2		A	192.168.4.2
+		AAAA	2001:2:4::2
+		TXT	"a4-2 text"
+
+a4-3		A	192.168.4.3
+		AAAA	2001:2:4::3
+		TXT	"a4-3 text"
+
+a4-4		A	192.168.4.4
+		AAAA	2001:2:4::4
+		TXT	"a4-4 text"
+
+a4-5		CNAME	a12
+
--- a/bin/tests/system/rpz/ns3/base.db
+++ b/bin/tests/system/rpz/ns3/base.db
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: base.db,v 1.2 2011/01/13 01:59:26 marka Exp $
+
+; RPZ test
+
+$TTL	120
+@		SOA	tld3.  hostmaster.ns.tld3. ( 1 3600 1200 604800 60 )
+@		NS	ns.utld.
+
+; Poke the radix tree a little.
+128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip	CNAME	.
+128.1111.2222.3333.4444.5555.6666.zz.rpz-ip		CNAME	.
+128.1111.2222.3333.4444.5555.zz.8888.rpz-ip		CNAME	.
+128.1111.2222.3333.4444.zz.8888.rpz-ip			CNAME	.
+128.zz.3333.4444.0.0.8888.rpz-ip			CNAME	.
+128.zz.3333.4444.0.7777.8888.rpz-ip			CNAME	.
+128.zz.3333.4444.0.8777.8888.rpz-ip			CNAME	.
+127.zz.3333.4444.0.8777.8888.rpz-ip			CNAME	.
--- a/bin/tests/system/rpz/ns3/hints
+++ b/bin/tests/system/rpz/ns3/hints
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2 2011/01/13 01:59:27 marka Exp $
+
+.	0	NS	s1.
+s1.	0	A	10.53.0.1
--- a/bin/tests/system/rpz/ns3/named.conf
+++ b/bin/tests/system/rpz/ns3/named.conf
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2011/01/13 01:59:27 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	notify no;
+
+	response-policy {
+	    zone "bl";
+	    zone "bl-given" policy given;
+	    zone "bl-no-op" policy no-op;
+	    zone "bl-nodata" policy nodata;
+	    zone "bl-nxdomain" policy nxdomain;
+	    zone "bl-cname" policy cname nodata.tld2.;
+	};
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+controls {
+        inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
+logging {
+	category queries { default_stderr; };
+	category query-errors { default_stderr; };
+};
+
+
+zone "." { type hint; file "hints"; };
+
+
+zone "bl."	    {type master; file "bl.db";
+			allow-update {any;};
+};
+zone "bl-given."    {type