From: Mark Andrews <marka@isc.org>
Date: Mon, 1 Jul 2019 03:44:30 +0000 (+1000)
Subject: Do not attempt to perform a DNS64 rewrite if RPZ returns NODATA.
X-Git-Tag: v9.11.10~17^2~1
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=de153f1a43416512138dda21c682281c677cddb9;p=thirdparty%2Fbind9.git

Do not attempt to perform a DNS64 rewrite if RPZ returns NODATA.

(cherry picked from commit 1eb640049c88ec49bd7710cacc7a01a287735fe6)
---

diff --git a/bin/named/query.c b/bin/named/query.c
index 2a54144d8a3..b6535cb75f2 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -4783,6 +4783,7 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype,
 	isc_result_t result;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
+	bool found_a = false;
 
 	REQUIRE(nodep != NULL);
 
@@ -4826,6 +4827,18 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype,
 			       "rpz_find_p: allrdatasets failed");
 			return (DNS_R_SERVFAIL);
 		}
+		if (qtype == dns_rdatatype_aaaa &&
+		    !ISC_LIST_EMPTY(client->view->dns64)) {
+			for (result = dns_rdatasetiter_first(rdsiter);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdatasetiter_next(rdsiter)) {
+				dns_rdatasetiter_current(rdsiter, *rdatasetp);
+				if ((*rdatasetp)->type == dns_rdatatype_a) {
+					found_a = true;
+				}
+				dns_rdataset_disassociate(*rdatasetp);
+			}
+		}
 		for (result = dns_rdatasetiter_first(rdsiter);
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdatasetiter_next(rdsiter)) {
@@ -4878,7 +4891,11 @@ rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype,
 		}
 		return (ISC_R_SUCCESS);
 	case DNS_R_NXRRSET:
-		*policyp = DNS_RPZ_POLICY_NODATA;
+		if (found_a) {
+			*policyp = DNS_RPZ_POLICY_DNS64;
+		} else {
+			*policyp = DNS_RPZ_POLICY_NODATA;
+		}
 		return (result);
 	case DNS_R_DNAME:
 		/*
@@ -7508,8 +7525,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				rpz = true;
 				break;
 			case DNS_RPZ_POLICY_NODATA:
-				result = DNS_R_NXRRSET;
 				nxrewrite = true;
+				/* FALLTHROUGH */
+			case DNS_RPZ_POLICY_DNS64:
+				result = DNS_R_NXRRSET;
 				rpz = true;
 				break;
 			case DNS_RPZ_POLICY_RECORD:
@@ -7970,6 +7989,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 #endif
 		} else if (result == DNS_R_NXRRSET &&
 			   !ISC_LIST_EMPTY(client->view->dns64) &&
+			   !nxrewrite &&
 			   client->message->rdclass == dns_rdataclass_in &&
 			   qtype == dns_rdatatype_aaaa)
 		{
diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h
index 78f34435b94..36763c27291 100644
--- a/lib/dns/include/dns/rpz.h
+++ b/lib/dns/include/dns/rpz.h
@@ -9,9 +9,6 @@
  * information regarding copyright ownership.
  */
 
-/* $Id$ */
-
-
 #ifndef DNS_RPZ_H
 #define DNS_RPZ_H 1
 
@@ -71,6 +68,7 @@ typedef enum {
 	DNS_RPZ_POLICY_NXDOMAIN = 5,	/* 'nxdomain': answer with NXDOMAIN */
 	DNS_RPZ_POLICY_NODATA = 6,	/* 'nodata': answer with ANCOUNT=0 */
 	DNS_RPZ_POLICY_CNAME = 7,	/* 'cname x': answer with x's rrsets */
+	DNS_RPZ_POLICY_DNS64,		/* Apply DN64 to the A rewrite */
 	DNS_RPZ_POLICY_RECORD,
 	DNS_RPZ_POLICY_WILDCNAME,
 	DNS_RPZ_POLICY_MISS,
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
index df9eb76a9a8..0476eb2e096 100644
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -246,6 +246,9 @@ dns_rpz_policy2str(dns_rpz_policy_t policy) {
 	case DNS_RPZ_POLICY_MISS:
 		str = "MISS";
 		break;
+	case DNS_RPZ_POLICY_DNS64:
+		str = "DNS64";
+		break;
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();