isc_boolean_t resuming;
int line = -1;
isc_boolean_t dns64_exclude, dns64;
+ isc_boolean_t nxrewrite = ISC_FALSE;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
rpz_st->p_name);
goto cleanup;
case DNS_RPZ_POLICY_NXDOMAIN:
- client->message->rcode = dns_rcode_nxdomain;
- /*
- * Don't fall through as it will add a SOA
- * for the black list zone which breaks
- * sanity checking of result by nameservers.
- */
- client->message->rcode = dns_rcode_nxdomain;
- rpz_log_rewrite(client, ISC_FALSE,
- rpz_st->m.policy,
- rpz_st->m.type, zone,
- rpz_st->p_name);
- goto cleanup;
+ result = DNS_R_NXDOMAIN;
+ nxrewrite = ISC_TRUE;
+ break;
case DNS_RPZ_POLICY_NODATA:
- /*
- * Don't fall through as it will add a SOA
- * for the black list zone which breaks
- * sanity checking of result by nameservers.
- */
- rpz_log_rewrite(client, ISC_FALSE,
- rpz_st->m.policy,
- rpz_st->m.type, zone,
- rpz_st->p_name);
- goto cleanup;
+ result = DNS_R_NXRRSET;
+ nxrewrite = ISC_TRUE;
+ break;
case DNS_RPZ_POLICY_RECORD:
result = rpz_st->m.result;
if (qtype == dns_rdatatype_any &&
*/
query_releasename(client, &fname);
}
+
/*
- * Add SOA.
+ * Add SOA if NXRRSET was not generated by RPZ rewrite
*/
- result = query_addsoa(client, db, version, ISC_UINT32_MAX,
- dns_rdataset_isassociated(rdataset));
- if (result != ISC_R_SUCCESS) {
- QUERY_ERROR(result);
- goto cleanup;
+ if (!nxrewrite) {
+ isc_boolean_t associated =
+ dns_rdataset_isassociated(rdataset);
+ result = query_addsoa(client, db, version,
+ ISC_UINT32_MAX, associated);
+ if (result != ISC_R_SUCCESS) {
+ QUERY_ERROR(result);
+ goto cleanup;
+ }
}
+
/*
* Add NSEC record if we found one.
*/
}
/*
- * Add SOA. If the query was for a SOA record force the
+ * Add SOA if NXDOMAIN was not generated by RPZ rewrite.
+ *
+ * If the query was for a SOA record force the
* ttl to zero so that it is possible for clients to find
* the containing zone of an arbitrary name with a stub
* resolver and not have it cached.
*/
- if (qtype == dns_rdatatype_soa &&
- zone != NULL &&
- dns_zone_getzeronosoattl(zone))
+ if (!nxrewrite && qtype == dns_rdatatype_soa &&
+ zone != NULL && dns_zone_getzeronosoattl(zone))
result = query_addsoa(client, db, version, 0,
dns_rdataset_isassociated(rdataset));
- else
+ else if (!nxrewrite)
result = query_addsoa(client, db, version,
ISC_UINT32_MAX,
dns_rdataset_isassociated(rdataset));
done
echo "I: checking dns64-server and dns64-contact ($n)"
+ret=0
$DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1
n=`expr $n + 1`
status=`expr $status + $ret`
echo "I: checking TTL less than 600 from zone ($n)"
+ret=0
#expect 500
$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
status=`expr $status + $ret`
echo "I: checking TTL more than 600 from zone ($n)"
+ret=0
#expect 700
$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
status=`expr $status + $ret`
echo "I: checking TTL less than minimum from zone ($n)"
+ret=0
#expect 1100
$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
status=`expr $status + $ret`
echo "I: checking TTL limited to minimum from zone ($n)"
+ret=0
#expect 1200
$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
status=`expr $status + $ret`
echo "I: checking TTL less than 600 via cache ($n)"
+ret=0
#expect 500
$DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1
grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
status=`expr $status + $ret`
echo "I: checking TTL more than 600 via cache ($n)"
+ret=0
#expect 700
$DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
status=`expr $status + $ret`
echo "I: checking TTL less than minimum via cache ($n)"
+ret=0
#expect 1100
$DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
status=`expr $status + $ret`
echo "I: checking TTL limited to minimum via cache ($n)"
+ret=0
#expect 1200
$DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
status=`expr $status + $ret`
echo "I: checking synthesis of AAAA from RPZ-remapped A ($n)"
+ret=0
$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1
n=`expr $n + 1`
projects / thirdparty / bind9.git / commitdiff
