diff --git a/CHANGES b/CHANGES index 783c733b8e..fb6f5e2fc2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3126. [security] Using DNAME record to generate replacements caused + RPZ to exit with a assertion failure. [RT #23766] + 3125. [security] Using wildcard CNAME records as a replacement with RPZ caused named to exit with a assertion failure. [RT #24715] diff --git a/bin/named/query.c b/bin/named/query.c index 44833c1253..76adb49eb8 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.366 2011/06/09 00:42:51 marka Exp $ */ +/* $Id: query.c,v 1.367 2011/06/09 03:10:17 marka Exp $ */ /*! \file */ @@ -4105,8 +4105,13 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, } break; case DNS_R_DNAME: - policy = DNS_RPZ_POLICY_RECORD; - break; + /* + * DNAME policy RRs have very few if any uses that are not + * better served with simple wildcards. Making the work would + * require complications to get the number of labels matched + * in the name or the found name itself to the main DNS_R_DNAME + * case in query_find(). So fall through to treat them as NODATA. + */ case DNS_R_NXRRSET: policy = DNS_RPZ_POLICY_NODATA; break; diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1 index 373ea0f95f..3ad35d27bb 100644 --- a/bin/tests/system/rpz/test1 +++ b/bin/tests/system/rpz/test1 @@ -12,13 +12,19 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: test1,v 1.4 2011/01/13 19:30:41 each Exp $ +; $Id: test1,v 1.5 2011/06/09 03:10:17 marka Exp $ server 10.53.0.3 5300 +; NXDOMAIN update add a0-1.tld2.bl. 300 CNAME . -update add a3-1.tld2.bl. 300 CNAME *. + +; NODATA +update add a1-1.tld2.bl. 300 CNAME *. +; and no assert-botch +update add a1-2.tld2.bl. 300 DNAME example.com. + update add *.sub1.tld2.bl. 300 A 12.12.12.12 send diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 0facc30dde..4c3e52c4c1 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -12,7 +12,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.5 2011/06/09 00:42:51 marka Exp $ +# $Id: tests.sh,v 1.6 2011/06/09 03:10:17 marka Exp $ # test response policy zones (RPZ) @@ -152,7 +152,9 @@ status=0 start_test "RPZ QNAME rewrites" test1 nxdomain a0-1.tld2 -nodata a3-1.tld2 +nodata a1-1.tld2 +nodata a1-2.tld2 +nodata sub.a1-2.tld2 a12 a4-1.sub1.tld2 end_test @@ -266,6 +268,7 @@ if [ $ret != 0 ]; then fi status=`expr $status + $ret` + if test "$status" -eq 0; then rm -f dig.out* fi diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index ae73065755..77ce23fde5 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -9317,8 +9317,8 @@ deny-answer-aliases { "example.net"; }; The rules encoded in a response policy zone (RPZ) are applied only to responses to queries that ask for recursion (RD=1). - RPZs are normal DNS zones containing largely valid RRsets - that can be queried normal if allowed. + RPZs are normal DNS zones containing RRsets + that can be queried normally if allowed. It is usually best to restrict those queries with something like allow-query {none; }; or allow-query { 127.0.0.1; };. @@ -9330,6 +9330,8 @@ deny-answer-aliases { "example.net"; }; records resolved in the process of generating the response. The owner name of a QNAME rule is the query name relativized to the RPZ. + The records in a rewrite rule are usually A, AAAA, or special + CNAMEs, but can be any type except DNAME. @@ -9429,6 +9431,7 @@ nodata.domain.com CNAME *. bad.domain.com A 10.0.0.1 AAAA 2001:2::1 ok.domain.com CNAME ok.domain.com. +*.badzone.domain.com CNAME garden.example.com. ; IP rules rewriting all answers for 127/8 except 127.0.0.1 8.0.0.0.127.ip CNAME .