From: Aram Sargsyan Date: Fri, 8 Aug 2025 12:08:55 +0000 (+0000) Subject: Add 'first_time' member to 'dns_rpz_zones_t' X-Git-Tag: v9.21.12~29^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88ed81e12d8a1e1c3de1f7571163610e108e2e88;p=thirdparty%2Fbind9.git Add 'first_time' member to 'dns_rpz_zones_t' During the initial configuration of named after startup, 'first_time' is true. This is needed for implementing the new 'servfail-until-ready' configuration option, which should take into effect only during the initial configuration. --- diff --git a/bin/named/server.c b/bin/named/server.c index 84fb21ec21e..c13ad71fce9 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -2137,7 +2137,7 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, static isc_result_t configure_rpz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t *rpz_obj, - bool *old_rpz_okp) { + bool *old_rpz_okp, bool first_time) { const cfg_obj_t *zonelist = NULL; const cfg_obj_t *sub_obj = NULL; bool recursive_only_default, add_soa_default; @@ -2172,7 +2172,7 @@ configure_rpz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t *rpz_obj, } nsdname_on = nsdname_enabled ? DNS_RPZ_ALL_ZBITS : 0; - result = dns_rpz_new_zones(view, &view->rpzs); + result = dns_rpz_new_zones(view, &view->rpzs, first_time); if (result != ISC_R_SUCCESS) { return result; } @@ -2296,8 +2296,17 @@ configure_rpz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t *rpz_obj, } if (*old_rpz_okp) { + /* Discard the newly created rpzs. */ dns_rpz_zones_shutdown(view->rpzs); dns_rpz_zones_detach(&view->rpzs); + + /* + * We are reusing the old rpzs, so it can no longer be its + * first time. + */ + pview->rpzs->first_time = false; + + /* Reuse rpzs from the old view. */ dns_rpz_zones_attach(pview->rpzs, &view->rpzs); dns_rpz_zones_detach(&pview->rpzs); } else if (old != NULL && pview != NULL) { @@ -3754,7 +3763,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, cfg_obj_t *vconfig, named_cachelist_t *cachelist, named_cachelist_t *oldcachelist, dns_kasplist_t *kasplist, dns_keystorelist_t *keystores, const cfg_obj_t *bindkeys, - isc_mem_t *mctx, cfg_aclconfctx_t *actx, bool need_hints) { + isc_mem_t *mctx, cfg_aclconfctx_t *actx, bool need_hints, + bool first_time) { const cfg_obj_t *maps[4]; const cfg_obj_t *cfgmaps[3]; const cfg_obj_t *optionmaps[3]; @@ -3859,7 +3869,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, if (view->rdclass == dns_rdataclass_in && need_hints && named_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { - CHECK(configure_rpz(view, NULL, obj, &old_rpz_ok)); + CHECK(configure_rpz(view, NULL, obj, &old_rpz_ok, first_time)); rpz_configured = true; } @@ -5731,7 +5741,8 @@ cleanup: * done previously in the "correct" order. */ result2 = configure_rpz(pview, view, obj, - &old_rpz_ok); + &old_rpz_ok, + first_time); if (result2 != ISC_R_SUCCESS) { isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, @@ -8631,11 +8642,11 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, goto cleanup_cachelist; } - result = configure_view(view, &viewlist, config, vconfig, - &cachelist, &server->cachelist, - &server->kasplist, - &server->keystorelist, bindkeys, - isc_g_mctx, named_g_aclconfctx, true); + result = configure_view( + view, &viewlist, config, vconfig, &cachelist, + &server->cachelist, &server->kasplist, + &server->keystorelist, bindkeys, isc_g_mctx, + named_g_aclconfctx, true, first_time); if (result != ISC_R_SUCCESS) { dns_view_detach(&view); goto cleanup_cachelist; @@ -8654,11 +8665,11 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, if (result != ISC_R_SUCCESS) { goto cleanup_cachelist; } - result = configure_view(view, &viewlist, config, NULL, - &cachelist, &server->cachelist, - &server->kasplist, - &server->keystorelist, bindkeys, - isc_g_mctx, named_g_aclconfctx, true); + result = configure_view( + view, &viewlist, config, NULL, &cachelist, + &server->cachelist, &server->kasplist, + &server->keystorelist, bindkeys, isc_g_mctx, + named_g_aclconfctx, true, first_time); if (result != ISC_R_SUCCESS) { dns_view_detach(&view); goto cleanup_cachelist; @@ -8682,11 +8693,11 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config, goto cleanup_cachelist; } - result = configure_view(view, &viewlist, config, vconfig, - &cachelist, &server->cachelist, - &server->kasplist, - &server->keystorelist, bindkeys, - isc_g_mctx, named_g_aclconfctx, false); + result = configure_view( + view, &viewlist, config, vconfig, &cachelist, + &server->cachelist, &server->kasplist, + &server->keystorelist, bindkeys, isc_g_mctx, + named_g_aclconfctx, false, first_time); if (result != ISC_R_SUCCESS) { dns_view_detach(&view); goto cleanup_cachelist; diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h index 32d3b9c43df..fa85ec568e3 100644 --- a/lib/dns/include/dns/rpz.h +++ b/lib/dns/include/dns/rpz.h @@ -259,6 +259,7 @@ struct dns_rpz_zones { isc_rwlock_t search_lock; isc_mutex_t maint_lock; + bool first_time; bool shuttingdown; dns_rpz_cidr_node_t *cidr; @@ -375,7 +376,7 @@ dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, dns_name_t *selfname); isc_result_t -dns_rpz_new_zones(dns_view_t *view, dns_rpz_zones_t **rpzsp); +dns_rpz_new_zones(dns_view_t *view, dns_rpz_zones_t **rpzsp, bool first_time); isc_result_t dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp); diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c index 3333478e20a..414a2fdec4a 100644 --- a/lib/dns/rpz.c +++ b/lib/dns/rpz.c @@ -1451,7 +1451,7 @@ add_name(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, * Get ready for a new set of policy zones for a view. */ isc_result_t -dns_rpz_new_zones(dns_view_t *view, dns_rpz_zones_t **rpzsp) { +dns_rpz_new_zones(dns_view_t *view, dns_rpz_zones_t **rpzsp, bool first_time) { dns_rpz_zones_t *rpzs = NULL; isc_mem_t *mctx = NULL; @@ -1463,6 +1463,7 @@ dns_rpz_new_zones(dns_view_t *view, dns_rpz_zones_t **rpzsp) { rpzs = isc_mem_get(mctx, sizeof(*rpzs)); *rpzs = (dns_rpz_zones_t){ .magic = DNS_RPZ_ZONES_MAGIC, + .first_time = first_time, }; isc_rwlock_init(&rpzs->search_lock);