fix: usr: Add RPZ extended DNS error for zones with a CNAME override policy configured

When the zone is configured with a CNAME override policy, or the response policy zone contains a wildcard CNAME, the extended DNS error code was not added. This has been fixed. Closes #5342 Merge branch '5342-rpz-cname-override-ede-not-added' into 'main' See merge request isc-projects/bind9!10777
2026-05-28 04:34:54 -04:00 · 2025-08-05 07:19:49 +00:00 · 2025-08-05 07:19:49 +00:00 · 09efe6039c
commit 09efe6039c
parent c613d87308 2f70a0ef12
8 changed files with 88 additions and 9 deletions
--- a/bin/tests/system/rpz/ns3/evil-cname.db.in
+++ b/bin/tests/system/rpz/ns3/evil-cname.db.in
@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@					SOA	evil-cname.  hostmaster.ns.evil-cname. ( 1 3600 1200 604800 60 )
+					NS	ns.tld3.
+
+evil.tld2				CNAME	a12.tld2.
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@ -51,6 +51,8 @@ options {
 	    zone "bl.tld2";
 	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
+	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
+	    zone "wild-cname"  ede blocked;
 	}
 	add-soa yes
 	min-ns-dots 0
@ -150,6 +152,16 @@ zone "static-stub-nomatch." {
 	server-addresses { 10.53.0.10; };
 };

+zone "evil-cname" {
+	type primary;
+	file "evil-cname.db";
+};
+
+zone "wild-cname" {
+	type primary;
+	file "wild-cname.db";
+};
+
 # A faulty dlz configuration to check if named with response policy zones
 # survives a certain class of failed configuration attempts (see GL #3880).
 # "dlz" is used because the dlz processing code is located in an ideal place in
--- a/bin/tests/system/rpz/ns3/wild-cname.db.in
+++ b/bin/tests/system/rpz/ns3/wild-cname.db.in
@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@					SOA	wild-cname.  hostmaster.ns.wild-cname. ( 1 3600 1200 604800 60 )
+					NS	ns.tld3.
+
+*.evil.tld2				CNAME	*.wc.tld4.
--- a/bin/tests/system/rpz/ns4/tld4.db
+++ b/bin/tests/system/rpz/ns4/tld4.db
@ -64,3 +64,5 @@ a3-8.tld2	A	58.58.58.58
 a3-9.sub9.tld2	A	59.59.59.59

 a3-10.tld2	A	60.60.60.60
+
+*.wc		A	61.61.61.61
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@ -44,6 +44,9 @@ done
 cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
 cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db

+cp ns3/evil-cname.db.in ns3/evil-cname.db
+cp ns3/wild-cname.db.in ns3/wild-cname.db
+
 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db

 # a zone that expires quickly and then can't be refreshed
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -687,6 +687,16 @@ echo_i "checking the configured extended DNS error code (EDE) (${t})"
 $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed"
 grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed"

+t=$((t + 1))
+echo_i "checking the configured extended DNS error code, CNAME override (EDE) (${t})"
+$DIG -p ${PORT} @$ns3 evil.tld2 >dig.out.$t || setret "failed"
+grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
+
+t=$((t + 1))
+echo_i "checking the configured extended DNS error code, wildcard CNAME override (EDE) (${t})"
+$DIG -p ${PORT} @$ns3 foo.evil.tld2 >dig.out.$t || setret "failed"
+grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
+
 # reload a RPZ zone that is now deliberately broken.
 t=$((t + 1))
 echo_i "checking rpz failed update will keep previous rpz rules (${t})"
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@ -36,11 +36,13 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/bl-wildcname.db",
        "ns3/bl.db",
        "ns3/bl.tld2.db",
+        "ns3/evil-cname.db",
        "ns3/fast-expire.db",
        "ns3/manual-update-rpz.db",
        "ns3/mixed-case-rpz.db",
        "ns3/named.conf.tmp",
        "ns3/named.stats",
+        "ns3/wild-cname.db",
        "ns5/bl.db",
        "ns5/empty.db",
        "ns5/empty.db.jnl",
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -145,13 +145,13 @@
 #define QUERY_STALETIMEOUT(q) (((q)->dboptions & DNS_DBFIND_STALETIMEOUT) != 0)

 /*% Does the rdataset 'r' have an attached 'No QNAME Proof'? */
-#define NOQNAME(r) (((r)->attributes.noqname))
+#define NOQNAME(r) ((r)->attributes.noqname)

 /*% Does the rdataset 'r' contain a stale answer? */
-#define STALE(r) (((r)->attributes.stale))
+#define STALE(r) ((r)->attributes.stale)

 /*% Does the rdataset 'r' is stale and within stale-refresh-time? */
-#define STALE_WINDOW(r) (((r)->attributes.stale_window))
+#define STALE_WINDOW(r) ((r)->attributes.stale_window)

 #ifdef WANT_QUERYTRACE
 static void
@ -6972,6 +6972,16 @@ query_checkrrl(query_ctx_t *qctx, isc_result_t result) {
 	return ISC_R_SUCCESS;
 }

+static void
+query_rpz_add_ede(query_ctx_t *qctx) {
+	if (qctx->rpz_st->m.rpz->ede != 0 &&
+	    qctx->rpz_st->m.rpz->ede != UINT16_MAX)
+	{
+		dns_ede_add(&qctx->client->edectx, qctx->rpz_st->m.rpz->ede,
+			    NULL);
+	}
+}
+
 /*%
 * Do any RPZ rewriting that may be needed for this query.
 */
@ -7124,6 +7134,8 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
 			result = dns_rdata_tostruct(&rdata, &cname, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			dns_rdata_reset(&rdata);
+
+			query_rpz_add_ede(qctx);
 			result = query_rpzcname(qctx, &cname.cname);
 			if (result != ISC_R_SUCCESS) {
 				return ISC_R_COMPLETE;
@ -7137,6 +7149,7 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
 			 * Add overriding CNAME from a named.conf
 			 * response-policy statement
 			 */
+			query_rpz_add_ede(qctx);
 			result = query_rpzcname(qctx,
 						&qctx->rpz_st->m.rpz->cname);
 			if (result != ISC_R_SUCCESS) {
@ -7149,12 +7162,7 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
 			UNREACHABLE();
 		}

-		if (qctx->rpz_st->m.rpz->ede != 0 &&
-		    qctx->rpz_st->m.rpz->ede != UINT16_MAX)
-		{
-			dns_ede_add(&qctx->client->edectx,
-				    qctx->rpz_st->m.rpz->ede, NULL);
-		}
+		query_rpz_add_ede(qctx);

 		/*
 		 * Turn off DNSSEC because the results of a