From: Mark Andrews Date: Thu, 31 Jul 2014 00:51:48 +0000 (+1000) Subject: 3904. [func] Add the RPZ SOA to the additional section. [RT36507] X-Git-Tag: v9.8.8b2~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2dbb1774e40a0893691167f2117b50c141854ed;p=thirdparty%2Fbind9.git 3904. [func] Add the RPZ SOA to the additional section. [RT36507] (cherry picked from commit 3a55d4352767acb4e0572aabfa917610001f5c9c) --- diff --git a/CHANGES b/CHANGES index 30ced16e1fe..059f61e453e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +3904. [func] Add the RPZ SOA to the additional section. [RT36507] + 3903. [bug] Improve the accuracy of DiG's reported round trip time. [RT 36611] diff --git a/bin/named/query.c b/bin/named/query.c index e6ed8961748..2e480c53f04 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -2477,11 +2477,12 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, if (result == ISC_R_SUCCESS) { /* * We've already got an RRset of the given name and type. - * There's nothing else to do; */ CTRACE("query_addrrset: dns_message_findname succeeded: done"); if (dbuf != NULL) query_releasename(client, namep); + if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0) + mrdataset->attributes |= DNS_RDATASETATTR_REQUIRED; return; } else if (result == DNS_R_NXDOMAIN) { /* @@ -2521,7 +2522,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep, static inline isc_result_t query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, - unsigned int override_ttl, isc_boolean_t isassociated) + unsigned int override_ttl, isc_boolean_t isassociated, + dns_section_t section) { dns_name_t *name; dns_dbnode_t *node; @@ -2624,8 +2626,11 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, sigrdatasetp = &sigrdataset; else sigrdatasetp = NULL; + + if (section == DNS_SECTION_ADDITIONAL) + rdataset->attributes |= DNS_RDATASETATTR_REQUIRED; query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL, - DNS_SECTION_AUTHORITY); + section); } cleanup: @@ -5055,7 +5060,7 @@ answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) { ISC_LIST_PREPEND(msg->sections[section], name, link); ISC_LIST_UNLINK(name->list, rdataset, link); ISC_LIST_PREPEND(name->list, rdataset, link); - rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE; + rdataset->attributes |= DNS_RDATASETATTR_REQUIRED; } } @@ -5393,6 +5398,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) int line = -1; isc_boolean_t dns64_exclude, dns64; isc_boolean_t nxrewrite = ISC_FALSE; + isc_boolean_t associated; + dns_section_t section; + dns_ttl_t ttl; CTRACE("query_find"); @@ -6285,17 +6293,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } /* - * Add SOA if NXRRSET was not generated by RPZ rewrite + * Add SOA to the additional section if generated by a RPZ + * rewrite. */ - if (!nxrewrite) { - isc_boolean_t associated = - dns_rdataset_isassociated(rdataset); - result = query_addsoa(client, db, version, - ISC_UINT32_MAX, associated); - if (result != ISC_R_SUCCESS) { - QUERY_ERROR(result); - goto cleanup; - } + associated = dns_rdataset_isassociated(rdataset); + section = nxrewrite ? DNS_SECTION_ADDITIONAL : + DNS_SECTION_AUTHORITY; + + result = query_addsoa(client, db, version, ISC_UINT32_MAX, + associated, section); + if (result != ISC_R_SUCCESS) { + QUERY_ERROR(result); + goto cleanup; } /* @@ -6332,21 +6341,23 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) } /* - * Add SOA if NXDOMAIN was not generated by RPZ rewrite. + * Add SOA to the additional section if generated by a + * RPZ rewrite. * * If the query was for a SOA record force the * ttl to zero so that it is possible for clients to find * the containing zone of an arbitrary name with a stub * resolver and not have it cached. */ + associated = dns_rdataset_isassociated(rdataset); + section = nxrewrite ? DNS_SECTION_ADDITIONAL : + DNS_SECTION_AUTHORITY; + ttl = ISC_UINT32_MAX; if (!nxrewrite && qtype == dns_rdatatype_soa && zone != NULL && dns_zone_getzeronosoattl(zone)) - result = query_addsoa(client, db, version, 0, - dns_rdataset_isassociated(rdataset)); - else if (!nxrewrite) - result = query_addsoa(client, db, version, - ISC_UINT32_MAX, - dns_rdataset_isassociated(rdataset)); + ttl = 0; + result = query_addsoa(client, db, version, ttl, associated, + section); if (result != ISC_R_SUCCESS) { QUERY_ERROR(result); goto cleanup; @@ -7010,7 +7021,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * Add a fake SOA record. */ (void)query_addsoa(client, db, version, - 600, ISC_FALSE); + 600, ISC_FALSE, + DNS_SECTION_AUTHORITY); goto cleanup; } #endif diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h index 3be40d29267..4dce69363cf 100644 --- a/lib/dns/include/dns/rdataset.h +++ b/lib/dns/include/dns/rdataset.h @@ -199,7 +199,8 @@ struct dns_rdataset { #define DNS_RDATASETATTR_NXDOMAIN 0x00002000 #define DNS_RDATASETATTR_NOQNAME 0x00004000 #define DNS_RDATASETATTR_CHECKNAMES 0x00008000 /*%< Used by resolver. */ -#define DNS_RDATASETATTR_REQUIREDGLUE 0x00010000 +#define DNS_RDATASETATTR_REQUIRED 0x00010000 +#define DNS_RDATASETATTR_REQUIREDGLUE DNS_RDATASETATTR_REQUIRED #define DNS_RDATASETATTR_LOADORDER 0x00020000 #define DNS_RDATASETATTR_RESIGN 0x00040000 #define DNS_RDATASETATTR_CLOSEST 0x00080000 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index acbad5963a9..1d487aa0076 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -5670,7 +5670,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, "unrelated %s %s in " "%s authority section", tbuf, qbuf, nbuf); - return (DNS_R_FORMERR); + goto nextname; } if (type == dns_rdatatype_ns) { /* @@ -5733,6 +5733,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, } } } + nextname: result = dns_message_nextname(message, section); if (result == ISC_R_NOMORE) break;