From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 8 Apr 2021 12:39:48 +0000 (+0200)
Subject: - rpz-triggers, precedence fix for nsdname and nsip triggers.
X-Git-Tag: release-1.14.0rc1~62^2~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=473f0cc44be9be16068b754ae48bb9a623aa7d58;p=thirdparty%2Funbound.git

- rpz-triggers, precedence fix for nsdname and nsip triggers.
---

diff --git a/services/rpz.c b/services/rpz.c
index 9af652984..7c928fb21 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -1966,21 +1966,25 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
 
 	lock_rw_rdlock(&az->rpz_lock);
 
+	/* precedencey of RPZ works, loosely, like this:
+	 * CNAMEs in order of the CNAME chain. rpzs in the order they are
+	 * configured. In an RPZ: first client-IP addr, then QNAME, then
+	 * response IP, then NSDNAME, then NSIP. Longest match first. Smallest
+	 * one from a set. */
 	for(a = az->rpz_first; a != NULL; a = a->rpz_az_next) {
 		lock_rw_rdlock(&a->lock);
 		r = a->rpz;
 
-		// XXX: check rfc which action has preference
-
-		raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is);
-		if(raddr != NULL) {
+		/* the nsdname has precedence over the nsip triggers */
+		z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones,
+						     ms->qinfo.qclass, &match);
+		if(z != NULL) {
 			lock_rw_unlock(&a->lock);
 			break;
 		}
 
-		z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones,
-						     ms->qinfo.qclass, &match);
-		if(z != NULL) {
+		raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is);
+		if(raddr != NULL) {
 			lock_rw_unlock(&a->lock);
 			break;
 		}