mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-23 09:51:03 -05:00
More changes for:
3864. [bug] RPZ didn't work well when being used as forwarder.
[RT #36060]
This commit is contained in:
Mark Andrews
parent
1c961887b8
commit
c849d67fdb
3 changed files with 36 additions and 34 deletions
|
|
@ -6085,6 +6085,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|||
isc_boolean_t resuming;
|
||||
int line = -1;
|
||||
isc_boolean_t dns64_exclude, dns64;
|
||||
isc_boolean_t nxrewrite = ISC_FALSE;
|
||||
dns_clientinfomethods_t cm;
|
||||
dns_clientinfo_t ci;
|
||||
|
||||
|
|
@ -6590,29 +6591,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|||
rpz_st->p_name);
|
||||
goto cleanup;
|
||||
case DNS_RPZ_POLICY_NXDOMAIN:
|
||||
client->message->rcode = dns_rcode_nxdomain;
|
||||
/*
|
||||
* Don't fall through as it will add a SOA
|
||||
* for the black list zone which breaks
|
||||
* sanity checking of result by nameservers.
|
||||
*/
|
||||
client->message->rcode = dns_rcode_nxdomain;
|
||||
rpz_log_rewrite(client, ISC_FALSE,
|
||||
rpz_st->m.policy,
|
||||
rpz_st->m.type, zone,
|
||||
rpz_st->p_name);
|
||||
goto cleanup;
|
||||
result = DNS_R_NXDOMAIN;
|
||||
nxrewrite = ISC_TRUE;
|
||||
break;
|
||||
case DNS_RPZ_POLICY_NODATA:
|
||||
/*
|
||||
* Don't fall through as it will add a SOA
|
||||
* for the black list zone which breaks
|
||||
* sanity checking of result by nameservers.
|
||||
*/
|
||||
rpz_log_rewrite(client, ISC_FALSE,
|
||||
rpz_st->m.policy,
|
||||
rpz_st->m.type, zone,
|
||||
rpz_st->p_name);
|
||||
goto cleanup;
|
||||
result = DNS_R_NXRRSET;
|
||||
nxrewrite = ISC_TRUE;
|
||||
break;
|
||||
case DNS_RPZ_POLICY_RECORD:
|
||||
result = rpz_st->m.result;
|
||||
if (qtype == dns_rdatatype_any &&
|
||||
|
|
@ -7155,15 +7140,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|||
*/
|
||||
query_releasename(client, &fname);
|
||||
}
|
||||
|
||||
/*
|
||||
* Add SOA.
|
||||
* Add SOA if NXRRSET was not generated by RPZ rewrite
|
||||
*/
|
||||
result = query_addsoa(client, db, version, ISC_UINT32_MAX,
|
||||
dns_rdataset_isassociated(rdataset));
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
QUERY_ERROR(result);
|
||||
goto cleanup;
|
||||
if (!nxrewrite) {
|
||||
isc_boolean_t associated =
|
||||
dns_rdataset_isassociated(rdataset);
|
||||
result = query_addsoa(client, db, version,
|
||||
ISC_UINT32_MAX, associated);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
QUERY_ERROR(result);
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Add NSEC record if we found one.
|
||||
*/
|
||||
|
|
@ -7202,17 +7193,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|||
}
|
||||
|
||||
/*
|
||||
* Add SOA. If the query was for a SOA record force the
|
||||
* Add SOA if NXDOMAIN was not generated by RPZ rewrite.
|
||||
*
|
||||
* If the query was for a SOA record force the
|
||||
* ttl to zero so that it is possible for clients to find
|
||||
* the containing zone of an arbitrary name with a stub
|
||||
* resolver and not have it cached.
|
||||
*/
|
||||
if (qtype == dns_rdatatype_soa &&
|
||||
zone != NULL &&
|
||||
dns_zone_getzeronosoattl(zone))
|
||||
if (!nxrewrite && qtype == dns_rdatatype_soa &&
|
||||
zone != NULL && dns_zone_getzeronosoattl(zone))
|
||||
result = query_addsoa(client, db, version, 0,
|
||||
dns_rdataset_isassociated(rdataset));
|
||||
else
|
||||
else if (!nxrewrite)
|
||||
result = query_addsoa(client, db, version,
|
||||
ISC_UINT32_MAX,
|
||||
dns_rdataset_isassociated(rdataset));
|
||||
|
|
|
|||
|
|
@ -1282,6 +1282,7 @@ do
|
|||
done
|
||||
|
||||
echo "I: checking dns64-server and dns64-contact ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1
|
||||
grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
|
|
@ -1289,6 +1290,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking TTL less than 600 from zone ($n)"
|
||||
ret=0
|
||||
#expect 500
|
||||
$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
|
||||
|
|
@ -1297,6 +1299,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking TTL more than 600 from zone ($n)"
|
||||
ret=0
|
||||
#expect 700
|
||||
$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
|
||||
|
|
@ -1305,6 +1308,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking TTL less than minimum from zone ($n)"
|
||||
ret=0
|
||||
#expect 1100
|
||||
$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
|
||||
|
|
@ -1313,6 +1317,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking TTL limited to minimum from zone ($n)"
|
||||
ret=0
|
||||
#expect 1200
|
||||
$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
|
||||
grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
|
||||
|
|
@ -1321,6 +1326,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking TTL less than 600 via cache ($n)"
|
||||
ret=0
|
||||
#expect 500
|
||||
$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1
|
||||
grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
|
||||
|
|
@ -1329,6 +1335,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking TTL more than 600 via cache ($n)"
|
||||
ret=0
|
||||
#expect 700
|
||||
$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
|
||||
grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
|
||||
|
|
@ -1337,6 +1344,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking TTL less than minimum via cache ($n)"
|
||||
ret=0
|
||||
#expect 1100
|
||||
$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
|
||||
grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
|
||||
|
|
@ -1345,6 +1353,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking TTL limited to minimum via cache ($n)"
|
||||
ret=0
|
||||
#expect 1200
|
||||
$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
|
||||
grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
|
||||
|
|
@ -1353,6 +1362,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
echo "I: checking synthesis of AAAA from RPZ-remapped A ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1
|
||||
grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
|
|
|
|||
|
|
@ -360,7 +360,7 @@ nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
|
|||
drop a3-8.tld2 any @$ns6 # 20 drop
|
||||
|
||||
end_group
|
||||
ckstats $ns3 test1 ns3 23
|
||||
ckstats $ns3 test1 ns3 22
|
||||
ckstats $ns5 test1 ns5 0
|
||||
ckstats $ns6 test1 ns6 0
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue