ensure RPZ lookups handle CD=1 correctly

RPZ rewrites called dns_db_findext() without passing through the
client database options; as as result, if the client set CD=1,
DNS_DBFIND_PENDINGOK was not used as it should have been, and
cache lookups failed, resulting in failure of the rewrite.

(cherry picked from commit 305a50dbe12a43b0ee429c2e9bee04f35a8047c4)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 21ad1a34ce9cde2a3aac154e9cff25fb82302a19..35c3974d88417a34555f8a77f001f9cf91b004ce 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -3645,7 +3645,7 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
        struct in_addr ina;
        struct in6_addr in6a;
        isc_result_t result;
-       unsigned int options = DNS_DBFIND_GLUEOK;
+       unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK;
        bool done = false;
 
        CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset");
@@ -3706,8 +3706,9 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
                 * otherwise we are done.
                 */
                if (result == DNS_R_GLUE) {
-                       options = 0;
+                       options = client->query.dboptions;
                } else {
+                       options = client->query.dboptions | DNS_DBFIND_GLUEOK;
                        done = true;
                }
 
@@ -4267,7 +4268,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 
        dns_fixedname_init(&nsnamef);
        dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
-       options = DNS_DBFIND_GLUEOK;
+       options = client->query.dboptions | DNS_DBFIND_GLUEOK;
        while (st->r.label > st->popt.min_ns_labels) {
                bool was_glue = false;
                /*
@@ -4393,9 +4394,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
                 * glue responses, otherwise setup for the next name.
                 */
                if (was_glue) {
-                       options = 0;
+                       options = client->query.dboptions;
                } else {
-                       options = DNS_DBFIND_GLUEOK;
+                       options = client->query.dboptions | DNS_DBFIND_GLUEOK;
                        st->r.label--;
                }