lib/rules: fix RPZ if it contains apex NS record

The spec even requires (at least one) NS record in apex
https://datatracker.ietf.org/doc/html/draft-vixie-dns-rpz-00#section-2
but until now the implementation took it as override for the root NS,
which obviously broke resolution (depending on the supplied name/s).

diff --git a/NEWS b/NEWS
index 716142d4c37a25628af67b92fc430c3fdace11d7..a93d2fbc6c9237deabc3c84094df2b0247002bae 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ Bugfixes
 --------
 - fix listening by interface name containing dashes (#900, !1500)
 - fix kresctl http request timeout (!1505)
+- fix RPZ if it contains apex NS record (!1516)
 
 
 Knot Resolver 6.0.6 (2024-02-13)

diff --git a/lib/rules/zonefile.c b/lib/rules/zonefile.c
index b5cc4a646f7a519b317bcc0171053436cbc6e591..d5163e2af80f54f38ca28c316a628276c65ccdc6 100644 (file)
--- a/lib/rules/zonefile.c
+++ b/lib/rules/zonefile.c
@@ -200,6 +200,20 @@ static void process_record(zs_scanner_t *s)
        }
        if (knot_rrtype_is_metatype(s->r_type))
                goto unsupported_type;
+       // Especially the apex NS record in RPZ needs to be ignored.
+       // That case is clear and silent.  For non-RPZ we assume the NS is desired.
+       if (s->r_type == KNOT_RRTYPE_NS && s_data->c->is_rpz) {
+               if (s->r_owner[0] != '\0') {
+                       auto_free char *owner_text = kr_dname_text(s->r_owner);
+                       // remove the final dot to hint that the name is relative to apex
+                       owner_text[strlen(owner_text) - 1] = '\0';
+                       kr_log_warning(RULES, "skipping `%s NS` record\n", owner_text);
+               } else {
+                       kr_log_debug(RULES, "skipping apex NS\n");
+               }
+               return;
+       }
+
        if (s_data->c->is_rpz && s->r_type == KNOT_RRTYPE_CNAME) {
                cname_scan2rule(s);
                return;