Do not attempt to perform a DNS64 rewrite if RPZ returns NODATA.

author Mark Andrews <marka@isc.org>

Mon, 1 Jul 2019 03:44:30 +0000 (13:44 +1000)

committer Mark Andrews <marka@isc.org>

Wed, 24 Jul 2019 21:26:35 +0000 (07:26 +1000)
author Mark Andrews <marka@isc.org>
Mon, 1 Jul 2019 03:44:30 +0000 (13:44 +1000)
committer Mark Andrews <marka@isc.org>
Wed, 24 Jul 2019 21:26:35 +0000 (07:26 +1000)
diff --git a/bin/named/query.c b/bin/named/query.c

index 2a54144d8a379152085eb88b9a51441804ff3e63..b6535cb75f2c1cdc52ebd926153f9e621817eebf 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -4783,6 +4783,7 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype,
         isc_result_t result;
         dns_clientinfomethods_t cm;
         dns_clientinfo_t ci;
+       bool found_a = false;
  
         REQUIRE(nodep != NULL);
  
@@ -4826,6 +4827,18 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype,
                                "rpz_find_p: allrdatasets failed");
                         return (DNS_R_SERVFAIL);
                 }
+               if (qtype == dns_rdatatype_aaaa &&
+                   !ISC_LIST_EMPTY(client->view->dns64)) {
+                       for (result = dns_rdatasetiter_first(rdsiter);
+                            result == ISC_R_SUCCESS;
+                            result = dns_rdatasetiter_next(rdsiter)) {
+                               dns_rdatasetiter_current(rdsiter, *rdatasetp);
+                               if ((*rdatasetp)->type == dns_rdatatype_a) {
+                                       found_a = true;
+                               }
+                               dns_rdataset_disassociate(*rdatasetp);
+                       }
+               }
                 for (result = dns_rdatasetiter_first(rdsiter);
                      result == ISC_R_SUCCESS;
                      result = dns_rdatasetiter_next(rdsiter)) {
@@ -4878,7 +4891,11 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype,
                 }
                 return (ISC_R_SUCCESS);
         case DNS_R_NXRRSET:
-               *policyp = DNS_RPZ_POLICY_NODATA;
+               if (found_a) {
+                       *policyp = DNS_RPZ_POLICY_DNS64;
+               } else {
+                       *policyp = DNS_RPZ_POLICY_NODATA;
+               }
                 return (result);
         case DNS_R_DNAME:
                 /*
@@ -7508,8 +7525,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
                                 rpz = true;
                                 break;
                         case DNS_RPZ_POLICY_NODATA:
-                               result = DNS_R_NXRRSET;
                                 nxrewrite = true;
+                               /* FALLTHROUGH */
+                       case DNS_RPZ_POLICY_DNS64:
+                               result = DNS_R_NXRRSET;
                                 rpz = true;
                                 break;
                         case DNS_RPZ_POLICY_RECORD:
@@ -7970,6 +7989,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
  #endif
                 } else if (result == DNS_R_NXRRSET &&
                            !ISC_LIST_EMPTY(client->view->dns64) &&
+                          !nxrewrite &&
                            client->message->rdclass == dns_rdataclass_in &&
                            qtype == dns_rdatatype_aaaa)
                 {
diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h

index 78f34435b9467247e7c7bc1f1500c4c52da467f0..36763c27291b35d8168060fa4a2eb2d2ddcfb752 100644 (file)
--- a/lib/dns/include/dns/rpz.h
+++ b/lib/dns/include/dns/rpz.h
@@ -9,9 +9,6 @@
   * information regarding copyright ownership.
   */
  
-/* $Id$ */
-
-
  #ifndef DNS_RPZ_H
  #define DNS_RPZ_H 1
  
@@ -71,6 +68,7 @@ typedef enum {
         DNS_RPZ_POLICY_NXDOMAIN = 5,    /* 'nxdomain': answer with NXDOMAIN */
         DNS_RPZ_POLICY_NODATA = 6,      /* 'nodata': answer with ANCOUNT=0 */
         DNS_RPZ_POLICY_CNAME = 7,       /* 'cname x': answer with x's rrsets */
+       DNS_RPZ_POLICY_DNS64,           /* Apply DN64 to the A rewrite */
         DNS_RPZ_POLICY_RECORD,
         DNS_RPZ_POLICY_WILDCNAME,
         DNS_RPZ_POLICY_MISS,
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c

index df9eb76a9a8f08f18a96a2368e37c2f33c1bafa3..0476eb2e096bff5f5c7cfc10fb6fc5308e9611d1 100644 (file)
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -246,6 +246,9 @@ dns_rpz_policy2str(dns_rpz_policy_t policy) {
         case DNS_RPZ_POLICY_MISS:
                 str = "MISS";
                 break;
+       case DNS_RPZ_POLICY_DNS64:
+               str = "DNS64";
+               break;
         default:
                 INSIST(0);
                 ISC_UNREACHABLE();
author	Mark Andrews <marka@isc.org>
	Mon, 1 Jul 2019 03:44:30 +0000 (13:44 +1000)
committer	Mark Andrews <marka@isc.org>
	Wed, 24 Jul 2019 21:26:35 +0000 (07:26 +1000)
bin/named/query.c		patch \| blob \| blame \| history
lib/dns/include/dns/rpz.h		patch \| blob \| blame \| history
lib/dns/rpz.c		patch \| blob \| blame \| history