From a4f05a26ad923de94d9311b631122f6de18e7f5e Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 4 May 2026 22:27:56 +0000 Subject: [PATCH 1/2] Add a catz test with invalid allow-transfer property Check that invalid/unexpected RRtypes coexisting with a valid APL RRtype does not cause an assertion failure. --- bin/tests/system/catz/tests.sh | 50 ++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index d82f7d02de..6988c17998 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -2761,6 +2761,56 @@ wait_for_soa @10.53.0.4 check-allow-query.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +########################################################################## +# GL #5941 + +nextpart ns4/named.run >/dev/null + +n=$((n + 1)) +echo_i "Add a normal and a spurious allow-transfer RRs to catalog-misc zone using nsupdate ($n)" +ret=0 +# It is important to include an RRtype with a numeric representation that is +# less than APL. E.g., AFSDB is 18 which is less than APL's 42. Also including +# the AMTRELAY RRtype (260) which is bigger than APL, just for completeness. +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update add allow-transfer.ext.catalog-misc.example. 3600 IN AFSDB 0 hostname + update add allow-transfer.ext.catalog-misc.example. 3600 IN APL 1:10.53.0.0/24 + update add allow-transfer.ext.catalog-misc.example. 3600 IN AMTRELAY 0 0 0 . + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns4/named.run "catz: catalog-misc.example: reload done: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +nextpart ns4/named.run >/dev/null + +n=$((n + 1)) +echo_i "Deleting the allow-query RRs from catalog-misc zone ($n)" +ret=0 +$NSUPDATE -d <>nsupdate.out.test$n 2>&1 || ret=1 + server 10.53.0.1 ${PORT} + update delete allow-transfer.ext.catalog-misc.example. 3600 IN AFSDB 0 hostname + update delete allow-transfer.ext.catalog-misc.example. 3600 IN APL 1:10.53.0.0/24 + update delete allow-transfer.ext.catalog-misc.example. 3600 IN AMTRELAY 0 0 0 . + send +END +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "waiting for secondary to sync up ($n)" +ret=0 +wait_for_message ns4/named.run "catz: catalog-misc.example: reload done: success" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + ########################################################################## # GL #5658 From 67e0090371b4bd4c8933b8644f68a3dbc592a214 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 4 May 2026 22:34:01 +0000 Subject: [PATCH 2/2] Fix a bug in catz_process_apl() The allow-transfer/allow-query catalog zone custom properties support only APL RRtypes. All other types are correctly rejected by the catz_process_apl() function. However, when an APL RRtype is processed by that function, and another (non-APL) RRtype is then attempted to be processed, there is an assertion failure happening in the prologue of the function because `*aclbp != NULL` (i.e. an APL has been already processed). Move the code to do type checking before the affected REQUIRE assertion. --- lib/dns/catz.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 9fa335343e..73997fb521 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -1523,6 +1523,17 @@ catz_process_primaries(dns_catz_zone_t *catz, dns_ipkeylist_t *ipkl, static isc_result_t catz_process_apl(dns_catz_zone_t *catz, isc_buffer_t **aclbp, dns_rdataset_t *value) { + REQUIRE(DNS_RDATASET_VALID(value)); + REQUIRE(dns_rdataset_isassociated(value)); + + if (value->type != dns_rdatatype_apl) { + return ISC_R_FAILURE; + } + + REQUIRE(DNS_CATZ_ZONE_VALID(catz)); + REQUIRE(aclbp != NULL); + REQUIRE(*aclbp == NULL); + isc_result_t result = ISC_R_SUCCESS; dns_rdata_t rdata; dns_rdata_in_apl_t rdata_apl; @@ -1531,16 +1542,6 @@ catz_process_apl(dns_catz_zone_t *catz, isc_buffer_t **aclbp, isc_buffer_t *aclb = NULL; unsigned char buf[256]; /* larger than INET6_ADDRSTRLEN */ - REQUIRE(DNS_CATZ_ZONE_VALID(catz)); - REQUIRE(aclbp != NULL); - REQUIRE(*aclbp == NULL); - REQUIRE(DNS_RDATASET_VALID(value)); - REQUIRE(dns_rdataset_isassociated(value)); - - if (value->type != dns_rdatatype_apl) { - return ISC_R_FAILURE; - } - if (dns_rdataset_count(value) > 1) { isc_log_write(DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_CATZ, ISC_LOG_WARNING,