+4186. [bug] Fixed an RPZ bug where a QNAME would be matched
+ against a policy RR with wildcard owner name
+ (trigger) where the QNAME was the wildcard owner
+ name's parent. For example, the bug caused a query
+ with QNAME "example.com" to match a policy RR with
+ "*.example.com" as trigger. [RT #40357]
+
+4185. [bug] Fixed an RPZ bug where a policy RR with wildcard
+ owner name (trigger) would prevent another policy RR
+ with its parent owner name from being
+ loaded. For example, the bug caused a policy RR
+ with trigger "example.com" to not have any
+ effect when a previous policy RR with trigger
+ "*.example.com" existed in that RPZ zone.
+ [RT #40357]
+
4183. [cleanup] Use timing-safe memory comparisons in cryptographic
code. Also, the timing-safe comparison functions have
been renamed to avoid possible confusion with
rpzs = client->view->rpzs;
/*
- * If there is only one eligible policy zone, just check it.
- * If more than one, then use the summary database to find
- * the bit mask of policy zones with policies for this trigger name.
- * x&(~x+1) is the least significant bit set in x
+ * Use the summary database to find the bit mask of policy zones
+ * with policies for this trigger name. We do this even if there
+ * is only one eligible policy zone so that wildcard triggers
+ * are matched correctly, and not into their parent.
*/
- if (zbits != (zbits & (~zbits + 1))) {
- zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name);
- if (zbits == 0)
- return (ISC_R_SUCCESS);
- }
+ zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name);
+ if (zbits == 0)
+ return (ISC_R_SUCCESS);
dns_fixedname_init(&p_namef);
p_name = dns_fixedname_name(&p_namef);
type master;
file "does-not-exist";
};
+
+zone "test1.example.net" {
+ type master;
+ file "test1.example.net.db";
+};
+
+zone "test2.example.net" {
+ type master;
+ file "test2.example.net.db";
+};
--- /dev/null
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 3600
+@ IN SOA root.example. example. 1 3600 3600 3600 3600
+@ NS ns.example.
+ns.example. A 10.53.0.1
+test1.example.net. A 1.2.3.4
+www.test1.example.net. A 5.6.7.8
--- /dev/null
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 3600
+@ IN SOA root.example. example. 1 3600 3600 3600 3600
+@ NS ns.example.
+ns.example. A 10.53.0.1
+test2.example.net. A 8.7.6.5
+www.test2.example.net. A 4.3.2.1
--- /dev/null
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+ NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .
+test1.example.net CNAME .
--- /dev/null
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+ NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .
+test1.example.net CNAME .
--- /dev/null
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+ NS ns
+ns A 127.0.0.1
+*.test2.example.net CNAME .
+test2.example.net CNAME .
--- /dev/null
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+ NS ns
+ns A 127.0.0.1
+*.test1.example.net CNAME .
--- /dev/null
+/*
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+ zone "." {
+ type hint;
+ file "root.hint";
+ };
+
+ # policy configuration to be tested
+ response-policy {
+ zone "wildcard1" policy NXDOMAIN;
+ };
+
+ # policy zones to be tested
+ zone "wildcard1" { type master; file "db.wildcard1"; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+ zone "." {
+ type hint;
+ file "root.hint";
+ };
+
+ # policy configuration to be tested
+ response-policy {
+ zone "wildcard2a" policy NXDOMAIN;
+ zone "wildcard2b" policy NXDOMAIN;
+ };
+
+ # policy zones to be tested
+ zone "wildcard2a" { type master; file "db.wildcard2a"; };
+ zone "wildcard2b" { type master; file "db.wildcard2b"; };
+};
--- /dev/null
+/*
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+ zone "." {
+ type hint;
+ file "root.hint";
+ };
+
+ # policy configuration to be tested
+ response-policy {
+ zone "wildcard3" policy NXDOMAIN;
+ };
+
+ # policy zones to be tested
+ zone "wildcard3" { type master; file "db.wildcard3"; };
+};
status=1
}
+# Check wildcard behavior
+
+t=`expr $t + 1`
+echo "I:testing wildcard behavior with 1 RPZ zone (${t})"
+run_server wildcard1
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+ echo "I:test ${t} failed"
+ status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || {
+ echo "I:test ${t} failed"
+ status=1
+}
+
+t=`expr $t + 1`
+echo "I:testing wildcard behavior with 2 RPZ zones (${t})"
+run_server wildcard2
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+ echo "I:test ${t} failed"
+ status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null || {
+ echo "I:test ${t} failed"
+ status=1
+}
+
+t=`expr $t + 1`
+echo "I:testing wildcard behavior with 1 RPZ zone and no non-wildcard triggers (${t})"
+run_server wildcard3
+$DIG $DIGOPTS www.test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.1
+grep "status: NXDOMAIN" dig.out.${t}.1 > /dev/null || {
+ echo "I:test ${t} failed"
+ status=1
+}
+$DIG $DIGOPTS test1.example.net a @10.53.0.2 -p 5300 > dig.out.${t}.2
+grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
+ echo "I:test ${t} failed"
+ status=1
+}
+
exit $status
loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
isc_boolean_t hasnsec)
{
- isc_result_t noderesult, nsecresult, tmpresult;
+ isc_result_t noderesult, rpzresult, nsecresult, tmpresult;
dns_rbtnode_t *nsecnode = NULL, *node = NULL;
noderesult = dns_rbt_addnode(rbtdb->tree, name, &node);
- if (rbtdb->rpzs != NULL && noderesult == ISC_R_SUCCESS) {
- noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num,
- name);
- if (noderesult == ISC_R_SUCCESS) {
+ if (rbtdb->rpzs != NULL &&
+ (noderesult == ISC_R_SUCCESS || noderesult == ISC_R_EXISTS)) {
+ rpzresult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num,
+ name);
+ if (rpzresult == ISC_R_SUCCESS) {
node->rpz = 1;
- } else {
+ } else if (noderesult != ISC_R_EXISTS) {
/*
* Remove the node we just added above.
*/
isc_result_t result;
/*
- * No need for a summary database of names with only 1 policy zone.
+ * We need a summary database of names even with 1 policy zone,
+ * because wildcard triggers are handled differently.
*/
- if (rpzs->p.num_zones <= 1) {
- adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE);
- return (ISC_R_SUCCESS);
- }
dns_fixedname_init(&trig_namef);
trig_name = dns_fixedname_name(&trig_namef);
isc_result_t result;
/*
- * No need for a summary database of names with only 1 policy zone.
+ * We need a summary database of names even with 1 policy zone,
+ * because wildcard triggers are handled differently.
*/
- if (rpzs->p.num_zones <= 1) {
- adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
- return;
- }
dns_fixedname_init(&trig_namef);
trig_name = dns_fixedname_name(&trig_namef);
projects / thirdparty / bind9.git / commitdiff
