From 08d0d24d3bbd07a2a460da7ec973ef39c1ed8a1e Mon Sep 17 00:00:00 2001
From: Tony Finch <fanf@isc.org>
Date: Wed, 14 Dec 2022 15:47:03 +0000
Subject: [PATCH] A couple of RPZ options were not reconfigured as expected

[bug]	Changes to the RPZ response-policy min-update-interval
	and add-soa options now take effect as expected when
	named is reconfigured. [GL #3740]

(cherry picked from commit d8a3d328db1fb530b6f29c03291e80252251a2e1)
---
 CHANGES                       |  4 ++++
 bin/named/server.c            | 11 +++++++++--
 bin/tests/system/rpz/tests.sh | 13 ++++++++++++-
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6d15b3e224..1495518858 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6050.	[bug]		Changes to the RPZ response-policy min-update-interval
+			and add-soa options now take effect as expected when
+			named is reconfigured. [GL #3740]
+
 6048.	[bug]		Fix a log message error in dns_catz_update_from_db(),
 			where serials with values of 2^31 or larger were logged
 			incorrectly as negative numbers. [GL #3742]
diff --git a/bin/named/server.c b/bin/named/server.c
index d575b8431f..7c534d32ba 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -2311,6 +2311,9 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
 	} else {
 		zone->max_policy_ttl = ttl_default;
 	}
+	if (*old_rpz_okp && zone->max_policy_ttl != old->max_policy_ttl) {
+		*old_rpz_okp = false;
+	}
 
 	obj = cfg_tuple_get(rpz_obj, "min-update-interval");
 	if (cfg_obj_isduration(obj)) {
@@ -2318,8 +2321,9 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
 	} else {
 		zone->min_update_interval = minupdateinterval_default;
 	}
-
-	if (*old_rpz_okp && zone->max_policy_ttl != old->max_policy_ttl) {
+	if (*old_rpz_okp &&
+	    zone->min_update_interval != old->min_update_interval)
+	{
 		*old_rpz_okp = false;
 	}
 
@@ -2422,6 +2426,9 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
 	} else {
 		zone->addsoa = cfg_obj_asboolean(obj);
 	}
+	if (*old_rpz_okp && zone->addsoa != old->addsoa) {
+		*old_rpz_okp = false;
+	}
 
 	return (ISC_R_SUCCESS);
 }
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index f7fbbbcd69..fd6d545e03 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -920,7 +920,18 @@ EOF
 
   if [ native = "$mode" ]; then
     t=`expr $t + 1`
-    echo_i "checking that "add-soa unset" works (${t})"
+    echo_i "reconfiguring server with 'add-soa no' (${t})"
+    cp ns3/named.conf ns3/named.conf.tmp
+    sed -e "s/add-soa yes/add-soa no/g" < ns3/named.conf.tmp > ns3/named.conf
+    rndc_reconfig ns3 $ns3
+    echo_i "checking that 'add-soa no' at response-policy level works (${t})"
+    $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t}
+    grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null && setret "failed"
+  fi
+
+  if [ native = "$mode" ]; then
+    t=`expr $t + 1`
+    echo_i "checking that 'add-soa unset' works (${t})"
     $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 > dig.out.${t}
     grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed"
   fi