From c19cfefe7e345c37ef3bb98b0db2d14fe7b1d583 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 7 Jan 2012 00:19:59 +0000 Subject: [PATCH] 3262. [bug] Signed responses were handled incorrectly by RPZ. [RT #27316] --- CHANGES | 3 +++ bin/named/query.c | 4 +++- bin/tests/system/rpz/clean.sh | 4 +++- bin/tests/system/rpz/ns1/root.db | 7 ++++++- bin/tests/system/rpz/ns2/named.conf | 3 ++- bin/tests/system/rpz/setup.sh | 11 +++++++++-- bin/tests/system/rpz/test1 | 3 ++- bin/tests/system/rpz/tests.sh | 6 +++++- 8 files changed, 33 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 2b38fe3b36..55f73cdbdc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3262. [bug] Signed responses were handled incorrectly by RPZ. + [RT #27316] + 3261. [func] RRset ordering now defaults to random. [RT #27174] 3260. [bug] "rrset-order cyclic" could appear not to rotate diff --git a/bin/named/query.c b/bin/named/query.c index a995775062..9f6c86e694 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.380 2012/01/04 23:46:49 tbox Exp $ */ +/* $Id: query.c,v 1.381 2012/01/07 00:19:59 each Exp $ */ /*! \file */ @@ -5659,6 +5659,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (!ISC_LIST_EMPTY(client->view->rpz_zones) && RECURSIONOK(client) && !RECURSING(client) && + (!WANTDNSSEC(client) || sigrdataset == NULL || + !dns_rdataset_isassociated(sigrdataset)) && (client->query.rpz_st == NULL || (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) && !dns_name_equal(client->query.qname, dns_rootname)) { diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index 9cf6c19b6b..4f45afe0fd 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.4 2011/10/13 01:32:32 vjs Exp $ +# $Id: clean.sh,v 1.5 2012/01/07 00:19:59 each Exp $ # Clean up after rpz tests. @@ -20,3 +20,5 @@ rm -f proto.* dig.out* nsupdate.tmp rm -f */named.memstats */named.run */named.rpz */session.key rm -f ns3/bl*.db */*.jnl */*.core */*.pid +rm -f ns2/signed-tld2.db +rm -f ns2/K*.private ns2/K*.key dsset-* diff --git a/bin/tests/system/rpz/ns1/root.db b/bin/tests/system/rpz/ns1/root.db index 3adf0bf79b..4d4c68bd5f 100644 --- a/bin/tests/system/rpz/ns1/root.db +++ b/bin/tests/system/rpz/ns1/root.db @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db,v 1.4 2011/10/13 01:32:33 vjs Exp $ +; $Id: root.db,v 1.5 2012/01/07 00:19:59 each Exp $ $TTL 120 @ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) @@ -25,6 +25,11 @@ tld2. NS ns.tld2. ns.tld2. A 10.53.0.2 ns2.tld2. A 10.53.0.2 +; rewrite responses from this zone unless dnssec requested +signed-tld2. NS ns.signed-tld2. +ns.signed-tld2. A 10.53.0.2 +ns2.signed-tld2. A 10.53.0.2 + ; requests come from here tld3. NS ns.tld3. ns.tld3. A 10.53.0.3 diff --git a/bin/tests/system/rpz/ns2/named.conf b/bin/tests/system/rpz/ns2/named.conf index 581816fc47..c15ecc1480 100644 --- a/bin/tests/system/rpz/ns2/named.conf +++ b/bin/tests/system/rpz/ns2/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2011/10/13 01:32:33 vjs Exp $ */ +/* $Id: named.conf,v 1.5 2012/01/07 00:19:59 each Exp $ */ controls { /* empty */ }; @@ -40,3 +40,4 @@ zone "sub2.tld2." {type master; file "tld2.db";}; zone "subsub.sub2.tld2." {type master; file "tld2.db";}; zone "sub3.tld2." {type master; file "tld2.db";}; zone "subsub.sub3.tld2." {type master; file "tld2.db";}; +zone "signed-tld2." {type master; file "signed-tld2.db";}; diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 680e237846..b7b327e100 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -14,11 +14,18 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.4 2011/10/13 01:32:32 vjs Exp $ +# $Id: setup.sh,v 1.5 2012/01/07 00:19:59 each Exp $ -sh clean.sh +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh # NO-OP is an obsolete synonym for PASSHTRU for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden; do sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done + +../../../tools/genrandom 400 random.data +$KEYGEN -Kns2 -q -r random.data -3 signed-tld2. > /dev/null 2>&1 +$KEYGEN -Kns2 -q -r random.data -3fk signed-tld2. > /dev/null 2>&1 +$SIGNER -S -Kns2 -o signed-tld2. -f ns2/signed-tld2.db ns2/tld2.db > /dev/null 2>&1 diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1 index 7fa61448d3..27becfe590 100644 --- a/bin/tests/system/rpz/test1 +++ b/bin/tests/system/rpz/test1 @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test1,v 1.7 2011/10/28 11:46:49 marka Exp $ +; $Id: test1,v 1.8 2012/01/07 00:19:59 each Exp $ ; Use comment lines instead of blank lines to combine update requests into @@ -26,6 +26,7 @@ server 10.53.0.3 5300 ; NXDOMAIN update add a0-1.tld2.bl. 300 CNAME . +update add a0-1.signed-tld2.bl. 300 CNAME . ; ; NODATA update add a3-1.tld2.bl. 300 CNAME *. diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 2684cc6601..ed8b059090 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.10 2011/11/18 19:32:13 each Exp $ +# $Id: tests.sh,v 1.11 2012/01/07 00:19:59 each Exp $ # test response policy zones (RPZ) @@ -215,6 +215,10 @@ addr 57.57.57.57 a3-7.sub1.tld2 # 15 wildcard CNAME addr 127.0.0.16 a4-5-cname3.tld2 # 16 CNAME chain addr 127.0.0.17 a4-6-cname3.tld2 # 17 stop short in CNAME chain nxdomain c1.crash2.tld3 # 18 assert in rbtdb.c +nochange a0-1.tld2 +norecurse +nxdomain a0-1.tld2 +dnssec +nxdomain a0-1.signed-tld2 +nochange a0-1.signed-tld2 +dnssec end_group start_group "IP rewrites" test2