when a response-policy zone expires, unload its polices from RPZ summary

2026-05-28 04:34:54 -04:00 · 2019-08-29 19:30:57 -07:00 · 2019-08-29 19:30:57 -07:00 · 7ba6d592ec
commit 7ba6d592ec
parent ccee7907e4
8 changed files with 90 additions and 2 deletions
--- a/bin/tests/system/rpz/clean.sh
+++ b/bin/tests/system/rpz/clean.sh
@ -29,9 +29,9 @@ fi
 # remove those files first, then decide whether to remove the others.
 rm -f ns*/*.key ns*/*.private
 rm -f ns2/tld2s.db ns2/bl.tld2.db
-rm -f ns3/bl*.db ns*/empty.db
+rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db
 rm -f ns3/manual-update-rpz.db
-rm -f ns5/example.db ns5/bl.db
+rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf
 rm -f ns8/manual-update-rpz.db
 rm -f */policy2.db
 rm -f */*.jnl
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@ -28,8 +28,11 @@ options {
 	minimal-responses no;
 	recursion yes;
 	dnssec-validation yes;
+	min-refresh-time 1;
+	min-retry-time 1;

 	response-policy {
+	    zone "fast-expire";
 	    zone "bl"					max-policy-ttl 100;
 	    zone "bl-2";
 	    zone "bl-given"	policy given		recursive-only yes;
@ -110,3 +113,10 @@ zone "manual-update-rpz." {
 	file "manual-update-rpz.db";
 	notify no;
 };
+
+zone "fast-expire." {
+	type secondary;
+	file "fast-expire.db";
+	masters { 10.53.0.5; };
+	notify no;
+};
--- a/bin/tests/system/rpz/ns5/expire.conf.in
+++ b/bin/tests/system/rpz/ns5/expire.conf.in
@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "fast-expire." {
+	type master;
+	file "fast-expire.db";
+	allow-transfer { any; };
+	notify no;
+};
--- a/bin/tests/system/rpz/ns5/fast-expire.db.in
+++ b/bin/tests/system/rpz/ns5/fast-expire.db.in
@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@					SOA	fast-expire. hostmaster (
+						1 3 1 5 60
+						)
+					NS	ns.tld3.
+
+expired.fast-expire.		        A	10.0.0.10
--- a/bin/tests/system/rpz/ns5/named.conf.in
+++ b/bin/tests/system/rpz/ns5/named.conf.in
@ -86,3 +86,5 @@ zone "policy2" {
 	allow-update { any; };
 	allow-transfer { any; };
 };
+
+include "expire.conf";
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@ -74,6 +74,10 @@ done
 cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
 cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db

+# a zone that expires quickly and then can't be refreshed
+cp ns5/fast-expire.db.in ns5/fast-expire.db
+cp ns5/expire.conf.in ns5/expire.conf
+
 # $1=directory
 # $2=domain name
 # $3=input zone file
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -759,6 +759,11 @@ EOF
    done
  fi

+  # reconfigure the ns5 master server without the fast-exire zone, so
+  # it can't be refreshed on ns3, and will expire in 5 seconds.
+  cat /dev/null > ns5/expire.conf
+  rndc_reconfig ns5 10.53.0.5
+
  # restart the main test RPZ server to see if that creates a core file
  if test -z "$HAVE_CORE"; then
    $PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} rpz ns3
@ -854,6 +859,12 @@ EOF
    echo_i "checking rpz with delegation fails correctly (${t})"
    $DIG -p ${PORT} @$ns3 ns example.com > dig.out.$t
    grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed"
+
+    t=`expr $t + 1`
+    echo_i "checking policies from expired zone are no longer in effect ($t)"
+    $DIG -p ${PORT} @$ns3 a expired > dig.out.$t
+    grep "expired.*10.0.0.10" dig.out.$t > /dev/null && setret "failed"
+    grep "fast-expire/IN: response-policy zone expired" ns3/named.run > /dev/null || setret "failed"
  fi

  # RPZ 'CNAME *.' (NODATA) trumps DNS64.  Test against various DNS64 senarios.
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -10573,6 +10573,8 @@ dns_zone_expire(dns_zone_t *zone) {

 static void
 zone_expire(dns_zone_t *zone) {
+	dns_db_t *db = NULL;
+
 	/*
 	 * 'zone' locked by caller.
 	 */
@ -10585,6 +10587,32 @@ zone_expire(dns_zone_t *zone) {
 	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
 	zone->retry = DNS_ZONE_DEFAULTRETRY;
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+
+	/*
+	 * An RPZ zone has expired; before unloading it, we must
+	 * first remove it from the RPZ summary database. The
+	 * easiest way to do this is "update" it with an empty
+	 * database so that the update callback synchonizes
+	 * the diff automatically.
+	 */
+	if (zone->rpzs != NULL && zone->rpz_num != DNS_RPZ_INVALID_NUM) {
+		isc_result_t result;
+		dns_rpz_zone_t *rpz = zone->rpzs->zones[zone->rpz_num];
+
+		CHECK(dns_db_create(zone->mctx, "rbt", &zone->origin,
+				    dns_dbtype_zone, zone->rdclass,
+				    0, NULL, &db));
+		CHECK(dns_rpz_dbupdate_callback(db, rpz));
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "response-policy zone expired; "
+			     "policies unloaded");
+	}
+
+ failure:
+	if (db != NULL) {
+		dns_db_detach(&db);
+	}
+
 	zone_unload(zone);
 }