From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 25 Mar 2024 12:28:23 +0000 (+0100)
Subject: lib/rules: fix RPZ if SOA is repated, as usual in AXFR output
X-Git-Tag: v6.0.7~3^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27d93668305d5bdcba0391788c991515014e9f0c;p=thirdparty%2Fknot-resolver.git

lib/rules: fix RPZ if SOA is repated, as usual in AXFR output

The check for name equality didn't cover the case of repeated SOA.
---

diff --git a/NEWS b/NEWS
index 6d108713e..27c209a22 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ Bugfixes
 - fix listening by interface name containing dashes (#900, !1500)
 - fix kresctl http request timeout (!1505)
 - fix RPZ if it contains apex NS record (!1516)
+- fix RPZ if SOA is repated, as usual in AXFR output (!1521)
 - fix on 32-bit systems with 64-bit time_t (!1510)
 - fix paths to knot-dns libs if exec_prefix != prefix (!1503)
 
diff --git a/lib/rules/zonefile.c b/lib/rules/zonefile.c
index d5163e2af..6c260d771 100644
--- a/lib/rules/zonefile.c
+++ b/lib/rules/zonefile.c
@@ -118,30 +118,33 @@ static bool owner_relativize(zs_scanner_t *s)
 	if (!d->c->is_rpz)
 		return true;
 
+	// $ORIGIN as fallback if SOA is missing
+	const knot_dname_t *apex = d->origin_soa;
+	if (!apex)
+		apex = s->zone_origin;
+
 	// SOA determines the zone apex, but lots of error/warn cases
 	if (s->r_type == KNOT_RRTYPE_SOA) {
-		if (d->seen_record && !knot_dname_is_equal(s->zone_origin, s->r_owner)) {
+		if (d->seen_record && !knot_dname_is_equal(apex, s->r_owner)) {
 			// We most likely inserted some rules wrong already, so abort.
 			kr_log_error(RULES,
 				"SOA encountered late, with unexpected owner; aborting\n");
 			s->state = ZS_STATE_STOP;
 			return false;
 		}
-		if (!d->warned_soa && (d->seen_record || d->origin_soa)) {
+		if (!d->warned_soa && d->origin_soa) {
+			d->warned_soa = true;
+			kr_log_warning(RULES, "ignoring repeated SOA record in a RPZ\n");
+		} else if (!d->warned_soa && d->seen_record) {
 			d->warned_soa = true;
 			kr_log_warning(RULES,
 				"SOA should come as the first record in a RPZ\n");
 		}
 		if (!d->origin_soa) // sticking with the first encountered SOA
-			d->origin_soa = knot_dname_copy(s->r_owner, d->pool);
+			apex = d->origin_soa = knot_dname_copy(s->r_owner, d->pool);
 	}
 	d->seen_record = true;
 
-	// $ORIGIN as fallback if SOA is missing
-	const knot_dname_t *apex = d->origin_soa;
-	if (!apex)
-		apex = s->zone_origin;
-
 	const int labels = knot_dname_in_bailiwick(s->r_owner, apex);
 	if (labels < 0) {
 		if (!d->warned_bailiwick) {