From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 5 Jan 2022 12:35:18 +0000 (+0100)
Subject: - Fix for #596: fix that rpz return message is returned and not just
X-Git-Tag: release-1.15.0rc1~41
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b2e96430e925245d3633ce831810e386c9c6ffd;p=thirdparty%2Funbound.git

- Fix for #596: fix that rpz return message is returned and not just
  the rcode from the iterator return path. This fixes signal unset RA
  after a CNAME.
---

diff --git a/doc/Changelog b/doc/Changelog
index 34366e7ae..4a6c1c27f 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+5 January 2022: Wouter
+	- Fix for #596: fix that rpz return message is returned and not just
+	  the rcode from the iterator return path. This fixes signal unset RA
+	  after a CNAME.
+
 4 January 2022: Wouter
 	- Fix #596: unset the RA bit when a query is blocked by an unbound
 	  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 48238a231..69e7e53dd 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2534,7 +2534,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		struct dns_msg* forged_response = rpz_callback_from_iterator_module(qstate, iq);
 		if(forged_response != NULL) {
 			qstate->ext_state[id] = module_finished;
-			qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags);
+			qstate->return_rcode = LDNS_RCODE_NOERROR;
 			qstate->return_msg = forged_response;
 			iq->response = forged_response;
 			next_state(iq, FINISHED_STATE);
@@ -3103,7 +3103,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			}
 			if(forged_response != NULL) {
 				qstate->ext_state[id] = module_finished;
-				qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags);
+				qstate->return_rcode = LDNS_RCODE_NOERROR;
 				qstate->return_msg = forged_response;
 				iq->response = forged_response;
 				next_state(iq, FINISHED_STATE);
diff --git a/testdata/rpz_signal_nxdomain_ra.rpl b/testdata/rpz_signal_nxdomain_ra.rpl
index 90f7fea94..bab4b65a0 100644
--- a/testdata/rpz_signal_nxdomain_ra.rpl
+++ b/testdata/rpz_signal_nxdomain_ra.rpl
@@ -61,6 +61,16 @@ SECTION ANSWER
 b.a.  IN  TXT "upstream txt rr b.a."
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.a.  IN  TXT
+SECTION ANSWER
+c.a.  IN  CNAME b.a
+ENTRY_END
+
 RANGE_END
 
 STEP 10 QUERY
@@ -79,4 +89,21 @@ a.a.  IN TXT
 SECTION ANSWER
 ENTRY_END
 
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.a.  IN TXT
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD AA NXDOMAIN
+SECTION QUESTION
+c.a.  IN TXT
+SECTION ANSWER
+c.a.  IN  CNAME b.a
+ENTRY_END
+
 SCENARIO_END