From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Wed, 20 Mar 2024 09:51:41 +0000 (+0100)
Subject: lib/rules: fix RPZ if it contains apex NS record
X-Git-Tag: v6.0.7~10^2
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fenvironments%2Fdocs-develop-rpz-7rpq6b%2Fdeployments%2F3526;p=thirdparty%2Fknot-resolver.git

lib/rules: fix RPZ if it contains apex NS record

The spec even requires (at least one) NS record in apex
https://datatracker.ietf.org/doc/html/draft-vixie-dns-rpz-00#section-2
but until now the implementation took it as override for the root NS,
which obviously broke resolution (depending on the supplied name/s).
---

diff --git a/NEWS b/NEWS
index 716142d4c..a93d2fbc6 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ Bugfixes
 --------
 - fix listening by interface name containing dashes (#900, !1500)
 - fix kresctl http request timeout (!1505)
+- fix RPZ if it contains apex NS record (!1516)
 
 
 Knot Resolver 6.0.6 (2024-02-13)
diff --git a/lib/rules/zonefile.c b/lib/rules/zonefile.c
index b5cc4a646..d5163e2af 100644
--- a/lib/rules/zonefile.c
+++ b/lib/rules/zonefile.c
@@ -200,6 +200,20 @@ static void process_record(zs_scanner_t *s)
 	}
 	if (knot_rrtype_is_metatype(s->r_type))
 		goto unsupported_type;
+	// Especially the apex NS record in RPZ needs to be ignored.
+	// That case is clear and silent.  For non-RPZ we assume the NS is desired.
+	if (s->r_type == KNOT_RRTYPE_NS && s_data->c->is_rpz) {
+		if (s->r_owner[0] != '\0') {
+			auto_free char *owner_text = kr_dname_text(s->r_owner);
+			// remove the final dot to hint that the name is relative to apex
+			owner_text[strlen(owner_text) - 1] = '\0';
+			kr_log_warning(RULES, "skipping `%s NS` record\n", owner_text);
+		} else {
+			kr_log_debug(RULES, "skipping apex NS\n");
+		}
+		return;
+	}
+
 	if (s_data->c->is_rpz && s->r_type == KNOT_RRTYPE_CNAME) {
 		cname_scan2rule(s);
 		return;