From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 25 Feb 2021 15:54:32 +0000 (+0100)
Subject: - Fix to allow rpz with wildcard that applies to all TLDs at once.
X-Git-Tag: release-1.13.2rc1~252
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a06d761f74e1f596ca77fca80861a5e043312fa5;p=thirdparty%2Funbound.git

- Fix to allow rpz with wildcard that applies to all TLDs at once.
---

diff --git a/doc/Changelog b/doc/Changelog
index 7eb067740..888cd5750 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,7 @@
 	- Merge PR #367 : DNSTAP log local address.  With code from PR #365
 	  and fixes #368 : dnstap does not log the DNS message ID for
 	  FORWARDER_QUERY.
+	- Fix to allow rpz with wildcard that applies to all TLDs at once.
 
 24 February 2021: George
 	- Fix #384: (1) A minor request to improve the log (2) A minor bug in one
diff --git a/services/rpz.c b/services/rpz.c
index 40b8efe48..0c79a0620 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -716,7 +716,7 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 	 * zone match, append '*' to that and do another lookup. */
 
 	ce = dname_get_shared_topdomain(z->name, qname);
-	if(!ce /* should not happen */ || !*ce /* root */) {
+	if(!ce /* should not happen */) {
 		lock_rw_unlock(&z->lock);
 		if(zones_keep_lock) {
 			lock_rw_unlock(&r->local_zones->lock);
diff --git a/testdata/rpz_rootwc.rpl b/testdata/rpz_rootwc.rpl
new file mode 100644
index 000000000..1fb94a143
--- /dev/null
+++ b/testdata/rpz_rootwc.rpl
@@ -0,0 +1,162 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+a	CNAME 	.
+a	CNAME 	*. ; duplicate CNAME here on purpose
+*.a	TXT	"wildcard local data"
+*	CNAME	.
+b.a	CNAME 	*.
+c.a	CNAME	rpz-passthru.
+TEMPFILE_END
+
+rpz:
+	name: "rpz2.example.com."
+	zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN example.com.
+rpz2	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz2.example.com.
+a	TXT	"local data 2nd zone"
+d	TXT	"local data 2nd zone"
+e	CNAME	*.a.example.
+*.e	CNAME	*.b.example.
+drop	CNAME	rpz-drop.
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+stub-zone:
+	name: "example."
+	stub-addr: 10.20.30.50
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ QNAME trigger for root wildcard.
+
+; a.
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN NS
+SECTION ANSWER
+a. IN NS ns.a.
+SECTION ADDITIONAL
+ns.a IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.a. IN TXT
+SECTION ANSWER
+c.a. IN TXT "answer from upstream ns"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.b.a. IN TXT
+SECTION ANSWER
+x.b.a. IN TXT "answer from upstream ns"
+ENTRY_END
+
+RANGE_END
+
+; example.
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.50
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example. IN NS
+SECTION ANSWER
+example. IN NS ns.example.
+SECTION ADDITIONAL
+ns.example IN A 10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e.a.example. IN TXT
+SECTION ANSWER
+e.a.example. IN TXT "e.a.example. answer from upstream ns"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+something.e.b.example. IN TXT
+SECTION ANSWER
+something.e.b.example. IN TXT "*.b.example. answer from upstream ns"
+ENTRY_END
+
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+x.	IN	TXT
+ENTRY_END
+
+; wildcard deny all
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+x.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+y.tld.	IN	TXT
+ENTRY_END
+
+; wildcard deny all
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+y.tld.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+SCENARIO_END