qstate->ext_state[id] = module_finished;
qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags);
qstate->return_msg = forged_response;
+ iq->response = forged_response;
next_state(iq, FINISHED_STATE);
if(!iter_prepend(iq, qstate->return_msg, qstate->region)) {
log_err("rpz, prepend rrsets: out of memory");
qstate->ext_state[id] = module_finished;
qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags);
qstate->return_msg = forged_response;
+ iq->response = forged_response;
next_state(iq, FINISHED_STATE);
if(!iter_prepend(iq, qstate->return_msg, qstate->region)) {
log_err("rpz after cname, prepend rrsets: out of memory");
}
rp->rk.dname = qi->qname;
rp->rk.dname_len = qi->qname_len;
+ /* this rrset is from the rpz data, or synthesized.
+ * It is not actually from the network, so we flag it with this
+ * flags as a fake RRset. If later the cache is used to look up
+ * rrsets, then the fake ones are not returned (if you look without
+ * the flag). For like CNAME lookups from the iterator or A, AAAA
+ * lookups for nameserver targets, it would use the without flag
+ * actual data. So that the actual network data and fake data
+ * are kept track of separately. */
+ rp->rk.flags |= PACKED_RRSET_RPZ;
new_reply_info->rrsets[0] = rp;
msg->rep = new_reply_info;
return msg;
ns1.ff. IN A 8.8.6.8
ENTRY_END
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+bar. IN A
+SECTION AUTHORITY
+bar. IN NS gotham.ff.
+SECTION ADDITIONAL
+gotham.ff. IN A 192.0.5.2
+ENTRY_END
+
RANGE_END
; com. -----------------------------------------------------------------------
gotham.ff. IN A 127.0.0.1
ENTRY_END
+; again with more cache items
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.ff. IN A
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+gotham.ff. IN A
+SECTION ANSWER
+gotham.ff. IN A 127.0.0.1
+ENTRY_END
+
+; query with a referral that tries to get the
+; just faked A record as nameserver glue (from cache).
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.bar. IN A
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+gotham.bar. IN A
+SECTION ANSWER
+gotham.bar. IN A 127.0.0.1
+ENTRY_END
+
SCENARIO_END
* updated on encoding in a reply. This flag is not expected to be set in
* cached data. */
#define PACKED_RRSET_FIXEDTTL 0x80000000
+/** This rrset is from RPZ. It is not real, it is synthesized data to block
+ * access. The flag makes lookups, from cache in iterator, ignore the fake
+ * items and only use actual data. Eg. when the iterator looksup NS, CNAME,
+ * A and AAAA types, it then gets items without this flag that are the
+ * actual network. But messages with these records in it can be stored in
+ * the cache and retrieved for a reply. */
+#define PACKED_RRSET_RPZ 0x8
/** number of rrs and rrsets for integer overflow protection. More than
* this is not really possible (64K packet has much less RRs and RRsets) in
* o PACKED_RRSET_PARENT_SIDE
* o PACKED_RRSET_SOA_NEG
* o PACKED_RRSET_FIXEDTTL (not supposed to be cached)
+ * o PACKED_RRSET_RPZ
*/
uint32_t flags;
/** the rrset type in network format */
projects / thirdparty / unbound.git / commitdiff
