From 4ef23ad0ffee3cc45b9e544d071cf00076e0bc1a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 30 Apr 2024 11:14:42 +0200 Subject: [PATCH 1/2] RPZ response's SOA record is incorrectly set to 1 An RPZ response's SOA record TTL is set to 1 instead of the SOA TTL, a boolean value is passed on to query_addsoa, which is supposed to be a TTL value. I don't see what value is appropriate to be used for overriding, so we will pass UINT32_MAX. (cherry picked from commit 5d7e613e8103b81cf47a22c72310a38737fbe3c6) --- bin/tests/system/rpz/tests.sh | 6 +++--- lib/ns/query.c | 4 +--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 575cac4cd7..2404c9f4ba 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -838,13 +838,13 @@ grep NXDOMAIN dig.out.${t} >/dev/null || setret "failed" t=$((t + 1)) echo_i "checking that "add-soa no" at rpz zone level works (${t})" $DIG z.x.servfail -p ${PORT} @$ns7 >dig.out.${t} || setret "failed" -grep SOA dig.out.${t} >/dev/null && setret "failed" +grep "SOA" dig.out.${t} >/dev/null && setret "failed" if [ native = "$MODE" ]; then t=$((t + 1)) echo_i "checking that "add-soa yes" at response-policy level works (${t})" $DIG walled.tld2 -p ${PORT} +noall +add @$ns3 >dig.out.${t} || setret "failed" - grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" + grep "^manual-update-rpz\..*60.*SOA" dig.out.${t} >/dev/null || setret "failed" fi if [ native = "$MODE" ]; then @@ -862,7 +862,7 @@ if [ native = "$MODE" ]; then t=$((t + 1)) echo_i "checking that 'add-soa unset' works (${t})" $DIG walled.tld2 -p ${PORT} +noall +add @$ns8 >dig.out.${t} || setret "failed" - grep "^manual-update-rpz\..*SOA" dig.out.${t} >/dev/null || setret "failed" + grep "^manual-update-rpz\..*60.*SOA" dig.out.${t} >/dev/null || setret "failed" fi # dnsrps does not allow NS RRs in policy zones, so this check diff --git a/lib/ns/query.c b/lib/ns/query.c index 537d332a56..37b0d0ab0d 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -7359,9 +7359,7 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) { * Add SOA record to additional section */ if (qctx->rpz_st->m.rpz->addsoa) { - bool override_ttl = - dns_rdataset_isassociated(qctx->rdataset); - rresult = query_addsoa(qctx, override_ttl, + rresult = query_addsoa(qctx, UINT32_MAX, DNS_SECTION_ADDITIONAL); if (rresult != ISC_R_SUCCESS) { QUERY_ERROR(qctx, result); From 7c8ae66f9e3a5351145adb3f9109927d5dd7a193 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 30 Apr 2024 11:21:59 +0200 Subject: [PATCH 2/2] Add release note and CHANGES for #3323 (cherry picked from commit 2726b569b1042a4fe2a7dde1a4fdd0af21ed8e6b) --- CHANGES | 3 +++ doc/notes/notes-current.rst | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 3a8ce8bbe7..be5a479ac8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6382. [bug] Fix RPZ response's SOA record TTL, which was incorrectly + set to 1 if 'add-soa' is used. [GL #3323] + 6374. [bug] Skip to next RRSIG if signature has expired or is in the future rather than failing immediately. [GL #4586] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 059d4cf0c0..e42d192fba 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -35,7 +35,8 @@ Feature Changes Bug Fixes ~~~~~~~~~ -- None. +- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if + ``add-soa`` was used. This has been fixed. :gl:`#3323` Known Issues ~~~~~~~~~~~~