From: Tony Finch <fanf@isc.org>
Date: Wed, 14 Dec 2022 15:47:03 +0000 (+0000)
Subject: A couple of RPZ options were not reconfigured as expected
X-Git-Tag: v9.19.9~73^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8a3d328db1fb530b6f29c03291e80252251a2e1;p=thirdparty%2Fbind9.git

A couple of RPZ options were not reconfigured as expected

[bug]	Changes to the RPZ response-policy min-update-interval
	and add-soa options now take effect as expected when
	named is reconfigured. [GL #3740]
---

diff --git a/CHANGES b/CHANGES
index 14be04987be..869b930e99e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6050.	[bug]		Changes to the RPZ response-policy min-update-interval
+			and add-soa options now take effect as expected when
+			named is reconfigured. [GL #3740]
+
 6049.	[bug]		Exclude ABD hashtables from the ADB memory
 			overmem checks and don't clean ADB names
 			and ADB entries used in the last 10 seconds
diff --git a/bin/named/server.c b/bin/named/server.c
index 09eb53e2ed2..d6f5ed771b4 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -2309,6 +2309,9 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
 	} else {
 		zone->max_policy_ttl = ttl_default;
 	}
+	if (*old_rpz_okp && zone->max_policy_ttl != old->max_policy_ttl) {
+		*old_rpz_okp = false;
+	}
 
 	obj = cfg_tuple_get(rpz_obj, "min-update-interval");
 	if (cfg_obj_isduration(obj)) {
@@ -2316,8 +2319,9 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
 	} else {
 		zone->min_update_interval = minupdateinterval_default;
 	}
-
-	if (*old_rpz_okp && zone->max_policy_ttl != old->max_policy_ttl) {
+	if (*old_rpz_okp &&
+	    zone->min_update_interval != old->min_update_interval)
+	{
 		*old_rpz_okp = false;
 	}
 
@@ -2432,6 +2436,9 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
 	} else {
 		zone->addsoa = cfg_obj_asboolean(obj);
 	}
+	if (*old_rpz_okp && zone->addsoa != old->addsoa) {
+		*old_rpz_okp = false;
+	}
 
 	return (ISC_R_SUCCESS);
 }
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 36796dfccb7..1cfafbe813c 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -933,6 +933,17 @@ EOF
     grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null || setret "failed"
   fi
 
+  if [ native = "$mode" ]; then
+    t=`expr $t + 1`
+    echo_i "reconfiguring server with 'add-soa no' (${t})"
+    cp ns3/named.conf ns3/named.conf.tmp
+    sed -e "s/add-soa yes/add-soa no/g" < ns3/named.conf.tmp > ns3/named.conf
+    rndc_reconfig ns3 $ns3
+    echo_i "checking that 'add-soa no' at response-policy level works (${t})"
+    $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 > dig.out.${t}
+    grep "^manual-update-rpz\..*SOA" dig.out.${t} > /dev/null && setret "failed"
+  fi
+
   if [ native = "$mode" ]; then
     t=`expr $t + 1`
     echo_i "checking that 'add-soa unset' works (${t})"