From: Miod Vallat <miod.vallat@powerdns.com>
Date: Mon, 25 Aug 2025 07:44:22 +0000 (+0200)
Subject: Return Refused when the lua update policy declines all updates.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0ccd9cd1f52937db827add81ebf3b51028e7b5ff;p=thirdparty%2Fpdns.git

Return Refused when the lua update policy declines all updates.

Fixes: #14953

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>
---

diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 0d1e2ea8e..061b68213 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -811,9 +811,12 @@ static uint8_t updateRecords(MOADNSParser& mdp, DNSSECKeeper& dsk, DomainInfo& i
   vector<const DNSRecord *> nonCnamesToAdd;
   vector<const DNSRecord *> nsRRtoDelete;
 
+  bool anyRecordProcessed{false};
+  bool anyRecordAcceptedByLua{false};
   for(const auto & answer : mdp.d_answers) {
     const DNSRecord *dnsRecord = &answer;
     if (dnsRecord->d_place == DNSResourceRecord::AUTHORITY) {
+      anyRecordProcessed = true;
       /* see if it's permitted by policy */
       if (update_policy_lua != nullptr) {
         if (!update_policy_lua->updatePolicy(dnsRecord->d_name, QType(dnsRecord->d_type), info.zone.operator const DNSName&(), packet)) {
@@ -821,6 +824,7 @@ static uint8_t updateRecords(MOADNSParser& mdp, DNSSECKeeper& dsk, DomainInfo& i
           continue;
         }
         g_log<<Logger::Debug<<msgPrefix<<"Accepting update for " << dnsRecord->d_name << "/" << QType(dnsRecord->d_type).toString() << ": Permitted by policy"<<endl;
+        anyRecordAcceptedByLua = true;
       }
 
       if (dnsRecord->d_class == QClass::NONE  && dnsRecord->d_type == QType::NS && dnsRecord->d_name == info.zone.operator const DNSName&()) {
@@ -839,6 +843,14 @@ static uint8_t updateRecords(MOADNSParser& mdp, DNSSECKeeper& dsk, DomainInfo& i
     }
   }
 
+  if (update_policy_lua != nullptr) {
+    // If the Lua update policy script has been invoked, and has rejected
+    // everything, better return Refused.
+    if (anyRecordProcessed && !anyRecordAcceptedByLua) {
+      return RCode::Refused;
+    }
+  }
+
   for (const auto &resrec : cnamesToAdd) {
     DNSResourceRecord rec;
     info.backend->lookup(QType(QType::ANY), resrec->d_name, info.id);
diff --git a/regression-tests.auth-py/test_GSSTSIG.py b/regression-tests.auth-py/test_GSSTSIG.py
index a8c73964c..e0a07bd18 100644
--- a/regression-tests.auth-py/test_GSSTSIG.py
+++ b/regression-tests.auth-py/test_GSSTSIG.py
@@ -138,7 +138,7 @@ lua-dnsupdate-policy-script=kerberos-client/update-policy.lua
 """
     def testDisallowedByLuaUpdate(self):
         self.kinit("testuser1")
-        self.nsupdate("add inserted10.example.net 10 A 1.2.3.10", 0) # Lua deny is still a NOERROR
+        self.nsupdate("add inserted10.example.net 10 A 1.2.3.10", 2)
         self.checkNotInDB('example.net', 'inserted10.example.net')
 
     def testAllowedByLuaUpdate(self):