3897. [bug] RPZ summary information was not properly being updated

                        after a AXFR resulting in changes sometimes being
                        ignored.  [RT #35885]

(cherry picked from commit ac5ed748602c890d596bed07b0b23b8b5f42b2f6)

diff --git a/CHANGES b/CHANGES
index 32aefce60d9aa07e7cb1ede0d5ba2a0f5a95ad0e..e8633e568fa1e38da873468d6b3c9a032d5e3eca 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3897.  [bug]           RPZ summary information was not properly being updated
+                       after a AXFR resulting in changes sometimes being
+                       ignored.  [RT #35885]
+
 3896.  [bug]           Address performance issues with DSCP code on some
                        platforms. [RT #36534]
 

diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh
index 51f1d033ee46cf65e03fd250de58aa9bdaf764c1..a89046e5fe0c1efadaa929e172135649ca773d16 100644 (file)
--- a/bin/tests/system/rpz/clean.sh
+++ b/bin/tests/system/rpz/clean.sh
@@ -20,3 +20,4 @@ rm -f ns3/bl*.db ns*/*switch ns*/empty.db ns*/empty.db.jnl
 rm -f ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
 rm -f */named.memstats */named.run */named.stats */session.key
 rm -f */*.jnl */*.core */*.pid
+rm -f */policy2.db

diff --git a/bin/tests/system/rpz/ns5/empty.db.in b/bin/tests/system/rpz/ns5/empty.db.in
index 0d58df82b860b6508c5fc9ab9db025a359da7810..367f903aecad7c664c982b3a9a8d5e47e19050b7 100644 (file)
--- a/bin/tests/system/rpz/ns5/empty.db.in
+++ b/bin/tests/system/rpz/ns5/empty.db.in
@@ -14,11 +14,4 @@
 
 $TTL   120
 @      SOA     .  hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 )
-       NS      ns
-       NS      ns1
-       NS      ns2
-       NS      ns3
-ns     A       10.53.0.5
-ns1    A       10.53.0.5
-ns2    A       10.53.0.6
-ns3    A       10.53.0.6
+       NS      .

diff --git a/bin/tests/system/rpz/ns5/named.conf b/bin/tests/system/rpz/ns5/named.conf
index 77c49f2e975f3a15bb465448ad55e25f7afdbb4f..17fc6d41693ec57602bee47164e0127c9037bc81 100644 (file)
--- a/bin/tests/system/rpz/ns5/named.conf
+++ b/bin/tests/system/rpz/ns5/named.conf
@@ -83,3 +83,10 @@ zone "policy1" {
        allow-update { any; };
        allow-transfer { any; };
 };
+
+zone "policy2" {
+       type master;
+       file "policy2.db";
+       allow-update { any; };
+       allow-transfer { any; };
+};

diff --git a/bin/tests/system/rpz/ns7/hints b/bin/tests/system/rpz/ns7/hints
new file mode 100644 (file)
index 0000000..1e6b4ce
--- /dev/null
+++ b/bin/tests/system/rpz/ns7/hints
@@ -0,0 +1,19 @@
+; Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+.      120     NS      ns.
+ns.    120     A       10.53.0.1

diff --git a/bin/tests/system/rpz/ns7/named.conf b/bin/tests/system/rpz/ns7/named.conf
new file mode 100644 (file)
index 0000000..d525b0e
--- /dev/null
+++ b/bin/tests/system/rpz/ns7/named.conf
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+options {
+       query-source address 10.53.0.7;
+       notify-source 10.53.0.7;
+       transfer-source 10.53.0.7;
+       port 5300;
+       pid-file "named.pid";
+       statistics-file "named.stats";
+       session-keyfile "session.key";
+       listen-on { 10.53.0.7; };
+       listen-on-v6 { none; };
+
+       response-policy { zone "policy2"; } qname-wait-recurse no;
+};
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm hmac-sha256;
+};
+
+controls {
+       inet 10.53.0.7 port 9953 allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
+
+zone "policy2" {
+       type slave;
+       masters { 10.53.0.5; };
+       file "policy2.db";
+       allow-transfer  { any; };
+       request-ixfr no; // force axfr on rndc reload
+};

diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index e44351626c866026baf7aa5fb370055ef240b98a..e7ccf7fcacfa918221ba8ab6ef4ded9cf460350b 100644 (file)
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -116,3 +116,4 @@ $PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
 
 cp ns2/bl.tld2.db.in ns2/bl.tld2.db
 cp ns5/empty.db.in ns5/empty.db
+cp ns5/empty.db.in ns5/policy2.db

diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 69b6f580eb8494829eaf4be4bfa0186d025e7ff0..61559754d4adead84dcaa9123e63323a8823dd3b 100644 (file)
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -27,6 +27,7 @@ ns3=$ns.3             # main rewriting resolver
 ns4=$ns.4              # another authoritative server that is rewritten
 ns5=$ns.5              # another rewriting resolver
 ns6=$ns.6              # a forwarding server
+ns7=$ns.7              # another rewriting resolver
 
 HAVE_CORE=
 SAVE_RESULTS=
@@ -629,5 +630,12 @@ for i in 1 2 3 4 5; do
     nsd $ns5 delete '*.example.com.policy1.' example.com.policy1.
 done
 
+echo "I:checking checking that going from a empty policy zone works"
+nsd $ns5 add '*.x.servfail.policy2.' x.servfail.policy2.
+sleep 1
+$RNDCCMD $ns7 reload policy2
+$DIG z.x.servfail -p 5300 @$ns7 > dig.out.ns7
+grep NXDOMAIN dig.out.ns7 > /dev/null || setret I:failed;
+
 echo "I:exit status: $status"
 exit $status

diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
index 5c997721d4015c8ea8699982f283cafb068a88ac..7e06daf086da732c5057e43a4027f451731a48a4 100644 (file)
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -248,6 +248,9 @@ dns_rpz_policy2str(dns_rpz_policy_t policy) {
        case DNS_RPZ_POLICY_WILDCNAME:
                str = "CNAME";
                break;
+       case DNS_RPZ_POLICY_MISS:
+               str = "MISS";
+               break;
        default:
                str = "";
                POST(str);
@@ -1653,6 +1656,7 @@ dns_rpz_ready(dns_rpz_zones_t *rpzs,
        load_rpzs->rbt = rbt;
 
        rpzs->total_triggers = load_rpzs->total_triggers;
+       rpzs->have = load_rpzs->have;
 
        UNLOCK(&rpzs->search_lock);
 

diff --git a/util/copyrights b/util/copyrights
index af418f812f685aeb6b4ea03525de28bac4fcbaa9..107edaecbd7e83106daf90168cb4244dd7b22aaf 100644 (file)
--- a/util/copyrights
+++ b/util/copyrights
@@ -1608,6 +1608,8 @@
 ./bin/tests/system/rpz/ns5/tld5.db             ZONE    2013
 ./bin/tests/system/rpz/ns6/hints               ZONE    2014
 ./bin/tests/system/rpz/ns6/named.conf          CONF-C  2014
+./bin/tests/system/rpz/ns7/hints               ZONE    2014
+./bin/tests/system/rpz/ns7/named.conf          CONF-C  2014
 ./bin/tests/system/rpz/prereq.sh               SH      2014
 ./bin/tests/system/rpz/qperf.sh                        SH      2012,2013
 ./bin/tests/system/rpz/rpz.c                   C       2011,2012,2013