# remove those files first, then decide whether to remove the others.
rm -f ns*/*.key ns*/*.private
rm -f ns2/tld2s.db ns2/bl.tld2.db
-rm -f ns3/bl*.db ns*/empty.db
+rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db
rm -f ns3/manual-update-rpz.db
-rm -f ns5/example.db ns5/bl.db
+rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf
rm -f ns8/manual-update-rpz.db
rm -f */policy2.db
rm -f */*.jnl
minimal-responses no;
recursion yes;
dnssec-validation yes;
+ min-refresh-time 1;
+ min-retry-time 1;
response-policy {
+ zone "fast-expire";
zone "bl" max-policy-ttl 100;
zone "bl-2";
zone "bl-given" policy given recursive-only yes;
file "manual-update-rpz.db";
notify no;
};
+
+zone "fast-expire." {
+ type secondary;
+ file "fast-expire.db";
+ masters { 10.53.0.5; };
+ notify no;
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "fast-expire." {
+ type master;
+ file "fast-expire.db";
+ allow-transfer { any; };
+ notify no;
+};
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ SOA fast-expire. hostmaster (
+ 1 3 1 5 60
+ )
+ NS ns.tld3.
+
+expired.fast-expire. A 10.0.0.10
allow-update { any; };
allow-transfer { any; };
};
+
+include "expire.conf";
cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db
+# a zone that expires quickly and then can't be refreshed
+cp ns5/fast-expire.db.in ns5/fast-expire.db
+cp ns5/expire.conf.in ns5/expire.conf
+
# $1=directory
# $2=domain name
# $3=input zone file
done
fi
+ # reconfigure the ns5 master server without the fast-exire zone, so
+ # it can't be refreshed on ns3, and will expire in 5 seconds.
+ cat /dev/null > ns5/expire.conf
+ rndc_reconfig ns5 10.53.0.5
+
# restart the main test RPZ server to see if that creates a core file
if test -z "$HAVE_CORE"; then
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} rpz ns3
echo_i "checking rpz with delegation fails correctly (${t})"
$DIG -p ${PORT} @$ns3 ns example.com > dig.out.$t
grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed"
+
+ t=`expr $t + 1`
+ echo_i "checking policies from expired zone are no longer in effect ($t)"
+ $DIG -p ${PORT} @$ns3 a expired > dig.out.$t
+ grep "expired.*10.0.0.10" dig.out.$t > /dev/null && setret "failed"
+ grep "fast-expire/IN: response-policy zone expired" ns3/named.run > /dev/null || setret "failed"
fi
# RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 senarios.
static void
zone_expire(dns_zone_t *zone) {
+ dns_db_t *db = NULL;
+
/*
* 'zone' locked by caller.
*/
zone->refresh = DNS_ZONE_DEFAULTREFRESH;
zone->retry = DNS_ZONE_DEFAULTRETRY;
DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+
+ /*
+ * An RPZ zone has expired; before unloading it, we must
+ * first remove it from the RPZ summary database. The
+ * easiest way to do this is "update" it with an empty
+ * database so that the update callback synchonizes
+ * the diff automatically.
+ */
+ if (zone->rpzs != NULL && zone->rpz_num != DNS_RPZ_INVALID_NUM) {
+ isc_result_t result;
+ dns_rpz_zone_t *rpz = zone->rpzs->zones[zone->rpz_num];
+
+ CHECK(dns_db_create(zone->mctx, "rbt", &zone->origin,
+ dns_dbtype_zone, zone->rdclass,
+ 0, NULL, &db));
+ CHECK(dns_rpz_dbupdate_callback(db, rpz));
+ dns_zone_log(zone, ISC_LOG_WARNING,
+ "response-policy zone expired; "
+ "policies unloaded");
+ }
+
+ failure:
+ if (db != NULL) {
+ dns_db_detach(&db);
+ }
+
zone_unload(zone);
}
projects / thirdparty / bind9.git / commitdiff
