Commit b64e3b83 authored by Mark Andrews's avatar Mark Andrews
Browse files

3125. [security] Using wildcard CNAME records as a replacement with

                        RPZ caused named to exit with a assertion failure.
                        [RT #24715]
parent 2a6d6061
3125. [security] Using wildcard CNAME records as a replacement with
RPZ caused named to exit with a assertion failure.
[RT #24715]
3124. [bug] Use an rdataset attribute flag to indicate
negative-cache records rather than using rrtype 0;
this will prevent problems when that rrtype is
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.365 2011/06/08 22:13:50 each Exp $ */
/* $Id: query.c,v 1.366 2011/06/09 00:42:51 marka Exp $ */
/*! \file */
......@@ -5416,6 +5416,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
break;
case DNS_RPZ_POLICY_RECORD:
if (type == dns_rdatatype_any &&
result != DNS_R_CNAME &&
dns_rdataset_isassociated(rdataset))
dns_rdataset_disassociate(rdataset);
break;
......
......@@ -12,7 +12,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: base.db,v 1.4 2011/04/27 17:46:47 each Exp $
; $Id: base.db,v 1.5 2011/06/09 00:42:50 marka Exp $
; RPZ test
......@@ -33,3 +33,4 @@ $TTL 120
; for testing rrset replacement
redirect IN A 127.0.0.1
*.redirect IN A 127.0.0.1
*.cname-redirect IN CNAME google.com.
......@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.4 2011/04/27 17:46:47 each Exp $
# $Id: tests.sh,v 1.5 2011/06/09 00:42:51 marka Exp $
# test response policy zones (RPZ)
......@@ -223,6 +223,7 @@ $DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
$DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
$DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
$DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
$DIGCMD www.cname-redirect -trrsig @$s3 > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then
......@@ -239,6 +240,24 @@ $DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
$DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
$DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
$DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
$DIGCMD www.cname-redirect -tsig @$s3 > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then
echo "I:failed";
(cd ..; $PERL start.pl --noclean --restart rpz ns3)
fi
status=`expr $status + $ret`
ret=0
echo "I:checking ANY queries"
# We don't actually care about the query results; the important
# thing is the server handles SIG queries okay
$DIGCMD a3-1.tld2 -tany @$s3 > /dev/null 2>&1
$DIGCMD a3-2.tld2 -tany @$s3 > /dev/null 2>&1
$DIGCMD a3-5.tld2 -tany @$s3 > /dev/null 2>&1
$DIGCMD www.redirect -tany @$s3 > /dev/null 2>&1
$DIGCMD www.cname-redirect -tany @$s3 > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment