Don't log NSDNAME failures as NSIP (#45052)

(cherry picked from commit 2c11da844192d8366a6e0047dff15a2746f9467e)
(cherry picked from commit 3a58e1fefb0a9fd5dab11f271a320c6b90473f76)

diff --git a/CHANGES b/CHANGES
index 96f54611b806be1a60197a87c680dd32d9882fb3..06d271cba6e8bd59819da692bc6734d0abe27766 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4635.  [bug]           Fix RPZ NSDNAME logging that was logging
+                       failures as NSIP. [RT #45052]
+
 4634.  [contrib]       check5011.pl needs to handle optional space before
                        semi-colon in +multi-line output. [RT #45352]
 

diff --git a/bin/named/query.c b/bin/named/query.c
index 962cf2cd3f287f65c9c8bb5a33a263791b91b9c7..6eb13c0a8657ceff706daefa982c4407725818cc 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -975,12 +975,16 @@ rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
 }
 
 static void
-rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
-            dns_rpz_type_t rpz_type, const char *str, isc_result_t result)
+rpz_log_fail_helper(ns_client_t *client, int level, dns_name_t *p_name,
+                   dns_rpz_type_t rpz_type1, dns_rpz_type_t rpz_type2,
+                   const char *str, isc_result_t result)
 {
        char qnamebuf[DNS_NAME_FORMATSIZE];
        char p_namebuf[DNS_NAME_FORMATSIZE];
        const char *failed;
+       const char *slash;
+       const char *rpztypestr1;
+       const char *rpztypestr2;
 
        if (!isc_log_wouldlog(ns_g_lctx, level))
                return;
@@ -992,16 +996,34 @@ rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
                failed = "failed: ";
        else
                failed = ": ";
+
+       rpztypestr1 = dns_rpz_type2str(rpz_type1);
+       if (rpz_type2 != DNS_RPZ_TYPE_BAD) {
+               slash = "/";
+               rpztypestr2 = dns_rpz_type2str(rpz_type2);
+       } else {
+               slash = "";
+               rpztypestr2 = "";
+       }
+
        dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf));
        dns_name_format(p_name, p_namebuf, sizeof(p_namebuf));
        ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS,
                      NS_LOGMODULE_QUERY, level,
-                     "rpz %s rewrite %s via %s%s%s%s",
-                     dns_rpz_type2str(rpz_type),
+                     "rpz %s%s%s rewrite %s via %s%s%s%s",
+                     rpztypestr1, slash, rpztypestr2,
                      qnamebuf, p_namebuf,
                      str, failed, isc_result_totext(result));
 }
 
+static void
+rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
+            dns_rpz_type_t rpz_type, const char *str, isc_result_t result)
+{
+       rpz_log_fail_helper(client, level, p_name,
+                           rpz_type, DNS_RPZ_TYPE_BAD, str, result);
+}
+
 /*
  * Get a policy rewrite zone database.
  */
@@ -5097,8 +5119,9 @@ rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
        st = client->query.rpz_st;
 
        if (str != NULL)
-               rpz_log_fail(client, level, nsname, DNS_RPZ_TYPE_NSIP,
-                            str, result);
+               rpz_log_fail_helper(client, level, nsname,
+                                   DNS_RPZ_TYPE_NSIP, DNS_RPZ_TYPE_NSDNAME,
+                                   str, result);
        if (st->r.ns_rdataset != NULL &&
            dns_rdataset_isassociated(st->r.ns_rdataset))
                dns_rdataset_disassociate(st->r.ns_rdataset);