RPZ qname triggers are always searched even if can be skipped
Not sure if this is a bug or not - but noticed by a customer who reported:
I happen to notice a minor possible glitch in RPZ query handling.
When loading an RPZ, the corresponding bit for 'rpzs->have.qname' is
always set as the existence of the origin name is regarded as the
existence of a QNAME trigger for the root name (.). So the following
check in rpz_rewrite_name() is pointless unless 'allowed_zbits' clears
some of the bits in case of "qname-wait-recurse yes":
zbits = rpz_get_zbits(client, qtype, rpz_type);
zbits &= allowed_zbits;
if (zbits == 0)
return (ISC_R_SUCCESS);
Since the root name is never subject to RPZ rewrite, we could actually
optimize it a bit by not setting have.qname for the RPZ's origin
name. This may be a minor optimization, though, since
dns_rpz_find_name() should be relatively cheap, and I guess it's quite
unlikely that we use RPZs that don't have any QNAME triggers. So you
may or may not want to "fix" it.
I primarily checked it for 9.11.3-S2, but I believe it's the same for all recent versions including 9.10.x.