From: Evan Hunt Date: Sat, 7 Jan 2012 00:19:59 +0000 (+0000) Subject: 3262. [bug] Signed responses were handled incorrectly by RPZ. X-Git-Tag: v9.0.1^2~65 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c19cfefe7e345c37ef3bb98b0db2d14fe7b1d583;p=thirdparty%2Fbind9.git 3262. [bug] Signed responses were handled incorrectly by RPZ. [RT #27316] --- diff --git a/CHANGES b/CHANGES index 2b38fe3b368..55f73cdbdc5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3262. [bug] Signed responses were handled incorrectly by RPZ. + [RT #27316] + 3261. [func] RRset ordering now defaults to random. [RT #27174] 3260. [bug] "rrset-order cyclic" could appear not to rotate diff --git a/bin/named/query.c b/bin/named/query.c index a9957750626..9f6c86e694c 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.380 2012/01/04 23:46:49 tbox Exp $ */ +/* $Id: query.c,v 1.381 2012/01/07 00:19:59 each Exp $ */ /*! \file */ @@ -5659,6 +5659,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (!ISC_LIST_EMPTY(client->view->rpz_zones) && RECURSIONOK(client) && !RECURSING(client) && + (!WANTDNSSEC(client) || sigrdataset == NULL || + !dns_rdataset_isassociated(sigrdataset)) && (client->query.rpz_st == NULL || (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) && !dns_name_equal(client->query.qname, dns_rootname)) { diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index 9cf6c19b6bd..4f45afe0fdd 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: clean.sh,v 1.4 2011/10/13 01:32:32 vjs Exp $ +# $Id: clean.sh,v 1.5 2012/01/07 00:19:59 each Exp $ # Clean up after rpz tests. @@ -20,3 +20,5 @@ rm -f proto.* dig.out* nsupdate.tmp rm -f */named.memstats */named.run */named.rpz */session.key rm -f ns3/bl*.db */*.jnl */*.core */*.pid +rm -f ns2/signed-tld2.db +rm -f ns2/K*.private ns2/K*.key dsset-* diff --git a/bin/tests/system/rpz/ns1/root.db b/bin/tests/system/rpz/ns1/root.db index 3adf0bf79ba..4d4c68bd5f1 100644 --- a/bin/tests/system/rpz/ns1/root.db +++ b/bin/tests/system/rpz/ns1/root.db @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db,v 1.4 2011/10/13 01:32:33 vjs Exp $ +; $Id: root.db,v 1.5 2012/01/07 00:19:59 each Exp $ $TTL 120 @ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) @@ -25,6 +25,11 @@ tld2. NS ns.tld2. ns.tld2. A 10.53.0.2 ns2.tld2. A 10.53.0.2 +; rewrite responses from this zone unless dnssec requested +signed-tld2. NS ns.signed-tld2. +ns.signed-tld2. A 10.53.0.2 +ns2.signed-tld2. A 10.53.0.2 + ; requests come from here tld3. NS ns.tld3. ns.tld3. A 10.53.0.3 diff --git a/bin/tests/system/rpz/ns2/named.conf b/bin/tests/system/rpz/ns2/named.conf index 581816fc47b..c15ecc1480a 100644 --- a/bin/tests/system/rpz/ns2/named.conf +++ b/bin/tests/system/rpz/ns2/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2011/10/13 01:32:33 vjs Exp $ */ +/* $Id: named.conf,v 1.5 2012/01/07 00:19:59 each Exp $ */ controls { /* empty */ }; @@ -40,3 +40,4 @@ zone "sub2.tld2." {type master; file "tld2.db";}; zone "subsub.sub2.tld2." {type master; file "tld2.db";}; zone "sub3.tld2." {type master; file "tld2.db";}; zone "subsub.sub3.tld2." {type master; file "tld2.db";}; +zone "signed-tld2." {type master; file "signed-tld2.db";}; diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 680e2378469..b7b327e1005 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -14,11 +14,18 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: setup.sh,v 1.4 2011/10/13 01:32:32 vjs Exp $ +# $Id: setup.sh,v 1.5 2012/01/07 00:19:59 each Exp $ -sh clean.sh +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh # NO-OP is an obsolete synonym for PASSHTRU for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden; do sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done + +../../../tools/genrandom 400 random.data +$KEYGEN -Kns2 -q -r random.data -3 signed-tld2. > /dev/null 2>&1 +$KEYGEN -Kns2 -q -r random.data -3fk signed-tld2. > /dev/null 2>&1 +$SIGNER -S -Kns2 -o signed-tld2. -f ns2/signed-tld2.db ns2/tld2.db > /dev/null 2>&1 diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1 index 7fa61448d3e..27becfe5907 100644 --- a/bin/tests/system/rpz/test1 +++ b/bin/tests/system/rpz/test1 @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test1,v 1.7 2011/10/28 11:46:49 marka Exp $ +; $Id: test1,v 1.8 2012/01/07 00:19:59 each Exp $ ; Use comment lines instead of blank lines to combine update requests into @@ -26,6 +26,7 @@ server 10.53.0.3 5300 ; NXDOMAIN update add a0-1.tld2.bl. 300 CNAME . +update add a0-1.signed-tld2.bl. 300 CNAME . ; ; NODATA update add a3-1.tld2.bl. 300 CNAME *. diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 2684cc66010..ed8b0590903 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.10 2011/11/18 19:32:13 each Exp $ +# $Id: tests.sh,v 1.11 2012/01/07 00:19:59 each Exp $ # test response policy zones (RPZ) @@ -215,6 +215,10 @@ addr 57.57.57.57 a3-7.sub1.tld2 # 15 wildcard CNAME addr 127.0.0.16 a4-5-cname3.tld2 # 16 CNAME chain addr 127.0.0.17 a4-6-cname3.tld2 # 17 stop short in CNAME chain nxdomain c1.crash2.tld3 # 18 assert in rbtdb.c +nochange a0-1.tld2 +norecurse +nxdomain a0-1.tld2 +dnssec +nxdomain a0-1.signed-tld2 +nochange a0-1.signed-tld2 +dnssec end_group start_group "IP rewrites" test2