From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 5 Jan 2022 15:48:35 +0000 (+0100)
Subject: - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
X-Git-Tag: release-1.15.0rc1~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33ef79d433885e4c69f629fe6b546343795c4bd2;p=thirdparty%2Funbound.git

- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
  triggered operation.
---

diff --git a/doc/Changelog b/doc/Changelog
index af5cfedee..23c1c05c0 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -8,6 +8,8 @@
 	- Fix for #596: add unit test for nsip trigger and signal unset RA.
 	- Fix #598: Fix unbound-checkconf fatal error: module conf
 	  'respip dns64 validator iterator' is not known to work.
+	- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+	  triggered operation.
 
 4 January 2022: Wouter
 	- Fix #596: unset the RA bit when a query is blocked by an unbound
diff --git a/services/rpz.c b/services/rpz.c
index a8e8b5503..322e9d139 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -2303,6 +2303,10 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 			local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns,
 				repinfo, buf, temp, 0 /* no local data used */,
 				rpz_action_to_localzone_type(client_action));
+			if(*r_out && (*r_out)->signal_nxdomain_ra &&
+				LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
+				== LDNS_RCODE_NXDOMAIN)
+				LDNS_RA_CLR(sldns_buffer_begin(buf));
 		}
 		ret = 1;
 		goto done;
diff --git a/testdata/rpz_signal_nxdomain_ra.rpl b/testdata/rpz_signal_nxdomain_ra.rpl
index d0fbaaa5c..b89498cf9 100644
--- a/testdata/rpz_signal_nxdomain_ra.rpl
+++ b/testdata/rpz_signal_nxdomain_ra.rpl
@@ -3,6 +3,7 @@ server:
 	module-config: "respip validator iterator"
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: no
+	access-control: 192.0.0.0/8 allow
 
 rpz:
 	name: "rpz.example.com."
@@ -20,6 +21,7 @@ a.a CNAME .
 b.a CNAME .
 ns1.a.rpz-nsdname CNAME .
 24.0.0.0.192.rpz-nsip CNAME .
+24.0.3.0.192.rpz-client-ip CNAME .
 TEMPFILE_END
 
 stub-zone:
@@ -99,6 +101,16 @@ SECTION ADDITIONAL
 ns2.a. IN A 192.0.0.5
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+f.a.  IN  TXT
+SECTION ANSWER
+f.a.  IN  TXT "upstream txt rr f.a."
+ENTRY_END
+
 RANGE_END
 
 RANGE_BEGIN 0 100
@@ -222,4 +234,21 @@ e.e.a.  IN TXT
 SECTION ANSWER
 ENTRY_END
 
+; clientip trigger
+STEP 50 QUERY ADDRESS 192.0.3.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+f.a.  IN TXT
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD NXDOMAIN
+SECTION QUESTION
+f.a.  IN TXT
+SECTION ANSWER
+ENTRY_END
+
 SCENARIO_END