Merge branch '3323-different-rpz-soa-ttl-9.18' into 'bind-9.18'

[9.18] RPZ response's SOA record is incorrectly set to 1 See merge request isc-projects/bind9!9008
2026-05-28 04:34:54 -04:00 · 2024-05-06 11:25:01 +00:00 · 2024-05-06 11:25:01 +00:00 · 6f5e423814
commit 6f5e423814
parent 7ed19b1e1e 7c8ae66f9e
4 changed files with 9 additions and 7 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+6382.	[bug]		Fix RPZ response's SOA record TTL, which was incorrectly
+			set to 1 if 'add-soa' is used. [GL #3323]
+
 6374.	[bug]		Skip to next RRSIG if signature has expired or is in
 			the future rather than failing immediately. [GL #4586]

--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -838,13 +838,13 @@ grep NXDOMAIN dig.out.${t} >/dev/null || setret "failed"
 t=$((t + 1))
 echo_i "checking that "add-soa no" at rpz zone level works (${t})"
 $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed"
-grep SOA dig.out.${t} >/dev/null && setret "failed"
+grep "SOA" dig.out.${t} >/dev/null && setret "failed"

 if [ native = "$MODE" ]; then
  t=$((t + 1))
  echo_i "checking that "add-soa yes" at response-policy level works (${t})"
  $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed"
-  grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed"
+  grep "^manual-update-rpz\..*60.*SOA" dig.out.${t} >/dev/null || setret "failed"
 fi

 if [ native = "$MODE" ]; then
@ -862,7 +862,7 @@ if [ native = "$MODE" ]; then
  t=$((t + 1))
  echo_i "checking that 'add-soa unset' works (${t})"
  $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 >dig.out.${t} || setret "failed"
-  grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed"
+  grep "^manual-update-rpz\..*60.*SOA" dig.out.${t} >/dev/null || setret "failed"
 fi

 # dnsrps does not allow NS RRs in policy zones, so this check
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -35,7 +35,8 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~

- None.
+- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if
+  ``add-soa`` was used. This has been fixed. :gl:`#3323`

 Known Issues
 ~~~~~~~~~~~~
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -7359,9 +7359,7 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
 		 * Add SOA record to additional section
 		 */
 		if (qctx->rpz_st->m.rpz->addsoa) {
-			bool override_ttl =
-				dns_rdataset_isassociated(qctx->rdataset);
-			rresult = query_addsoa(qctx, override_ttl,
+			rresult = query_addsoa(qctx, UINT32_MAX,
 					       DNS_SECTION_ADDITIONAL);
 			if (rresult != ISC_R_SUCCESS) {
 				QUERY_ERROR(qctx, result);