+3864. [bug] RPZ didn't work well when being used as forwarder.
+ [RT #36060]
+
3863. [bug] The "E" flag was missing from the query log as a
unintended side effect of code rearrangement to
support EDNS EXPIRE. [RT #36117]
rpz_st->p_name);
goto cleanup;
case DNS_RPZ_POLICY_NXDOMAIN:
- result = DNS_R_NXDOMAIN;
- break;
+ client->message->rcode = dns_rcode_nxdomain;
+ /*
+ * Don't fall through as it will add a SOA
+ * for the black list zone which breaks
+ * sanity checking of result by nameservers.
+ */
+ client->message->rcode = dns_rcode_nxdomain;
+ rpz_log_rewrite(client, ISC_FALSE,
+ rpz_st->m.policy,
+ rpz_st->m.type, zone,
+ rpz_st->p_name, NULL);
+ goto cleanup;
case DNS_RPZ_POLICY_NODATA:
- result = DNS_R_NXRRSET;
- break;
+ /*
+ * Don't fall through as it will add a SOA
+ * for the black list zone which breaks
+ * sanity checking of result by nameservers.
+ */
+ rpz_log_rewrite(client, ISC_FALSE,
+ rpz_st->m.policy,
+ rpz_st->m.type, zone,
+ rpz_st->p_name, NULL);
+ goto cleanup;
case DNS_RPZ_POLICY_RECORD:
result = rpz_st->m.result;
if (qtype == dns_rdatatype_any &&
--- /dev/null
+; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+. 120 NS ns.
+ns. 120 A 10.53.0.1
--- /dev/null
+/*
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+options {
+ query-source address 10.53.0.6;
+ notify-source 10.53.0.6;
+ transfer-source 10.53.0.6;
+ port 5300;
+ pid-file "named.pid";
+ statistics-file "named.stats";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.6; };
+ listen-on-v6 { none; };
+ notify no;
+ forward only;
+ forwarders { 10.53.0.3; };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.6 port 9953 allow { any; } keys { rndc_key; };
+};
+
+include "../trusted.conf";
ns3=$ns.3 # main rewriting resolver
ns4=$ns.4 # another authoritative server that is rewritten
ns5=$ns.5 # another rewriting resolver
+ns6=$ns.6 # a forwarding server
HAVE_CORE=
SAVE_RESULTS=
end_group
ckstats $ns3 test1 ns3 22
ckstats $ns5 test1 ns5 1
+ckstats $ns6 test1 ns6 0
+
+start_group "NXDOMAIN/NODATA action on QNAME trigger" test1
+nxdomain a0-1.tld2 @$ns6 # 1
+nodata a3-1.tld2 @$ns6 # 2
+nodata a3-2.tld2 @$ns6 # 3 nodata at DNAME itself
+nxdomain a4-2.tld2 @$ns6 # 4 rewrite based on CNAME target
+nxdomain a4-2-cname.tld2 @$ns6 # 5
+nodata a4-3-cname.tld2 @$ns6 # 6
+addr 12.12.12.12 "a4-1.sub1.tld2 @$ns6" # 7 A replacement
+addr 12.12.12.12 "a4-1.sub2.tld2 @$ns6" # 8 A replacement with wildcard
+addr 127.4.4.1 "a4-4.tld2 @$ns6" # 9 prefer 1st conflicting QNAME zone
+addr 12.12.12.12 "nxc1.sub1.tld2 @$ns6" # 10 replace NXDOMAIN w/ CNAME
+addr 12.12.12.12 "nxc2.sub1.tld2 @$ns6" # 11 replace NXDOMAIN w/ CNAME chain
+addr 127.6.2.1 "a6-2.tld2 @$ns6" # 12
+addr 56.56.56.56 "a3-6.tld2 @$ns6" # 13 wildcard CNAME
+addr 57.57.57.57 "a3-7.sub1.tld2 @$ns6" # 14 wildcard CNAME
+addr 127.0.0.16 "a4-5-cname3.tld2 @$ns6" # 15 CNAME chain
+addr 127.0.0.17 "a4-6-cname3.tld2 @$ns6" # 16 stop short in CNAME chain
+nxdomain c1.crash2.tld3 @$ns6 # 17 assert in rbtdb.c
+nxdomain a0-1.tld2 +dnssec @$ns6 # 18 simple DO=1 without sigs
+nxdomain a0-1s-cname.tld2s +dnssec @$ns6 # 19
+drop a3-8.tld2 any @$ns6 # 20 drop
+
+end_group
+ckstats $ns3 test1 ns3 23
+ckstats $ns5 test1 ns5 0
+ckstats $ns6 test1 ns6 0
start_group "IP rewrites" test2
nodata a3-1.tld2 # 1 NODATA
projects / thirdparty / bind9.git / commitdiff
