From d034c523c6eac98e3142a2707992a158670a5951 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 20 Mar 2024 10:51:41 +0100 Subject: [PATCH] lib/rules: fix RPZ if it contains apex NS record The spec even requires (at least one) NS record in apex https://datatracker.ietf.org/doc/html/draft-vixie-dns-rpz-00#section-2 but until now the implementation took it as override for the root NS, which obviously broke resolution (depending on the supplied name/s). --- NEWS | 1 + lib/rules/zonefile.c | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/NEWS b/NEWS index 716142d4c..a93d2fbc6 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,7 @@ Bugfixes -------- - fix listening by interface name containing dashes (#900, !1500) - fix kresctl http request timeout (!1505) +- fix RPZ if it contains apex NS record (!1516) Knot Resolver 6.0.6 (2024-02-13) diff --git a/lib/rules/zonefile.c b/lib/rules/zonefile.c index b5cc4a646..d5163e2af 100644 --- a/lib/rules/zonefile.c +++ b/lib/rules/zonefile.c @@ -200,6 +200,20 @@ static void process_record(zs_scanner_t *s) } if (knot_rrtype_is_metatype(s->r_type)) goto unsupported_type; + // Especially the apex NS record in RPZ needs to be ignored. + // That case is clear and silent. For non-RPZ we assume the NS is desired. + if (s->r_type == KNOT_RRTYPE_NS && s_data->c->is_rpz) { + if (s->r_owner[0] != '\0') { + auto_free char *owner_text = kr_dname_text(s->r_owner); + // remove the final dot to hint that the name is relative to apex + owner_text[strlen(owner_text) - 1] = '\0'; + kr_log_warning(RULES, "skipping `%s NS` record\n", owner_text); + } else { + kr_log_debug(RULES, "skipping apex NS\n"); + } + return; + } + if (s_data->c->is_rpz && s->r_type == KNOT_RRTYPE_CNAME) { cname_scan2rule(s); return; -- 2.47.2