diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index bd21c9607c..5325dd6fb8 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -29,9 +29,9 @@ fi # remove those files first, then decide whether to remove the others. rm -f ns*/*.key ns*/*.private rm -f ns2/tld2s.db ns2/bl.tld2.db -rm -f ns3/bl*.db ns*/empty.db +rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db rm -f ns3/manual-update-rpz.db -rm -f ns5/example.db ns5/bl.db +rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf rm -f ns8/manual-update-rpz.db rm -f */policy2.db rm -f */*.jnl diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in index 8e6e1456da..eec06baeb6 100644 --- a/bin/tests/system/rpz/ns3/named.conf.in +++ b/bin/tests/system/rpz/ns3/named.conf.in @@ -28,8 +28,11 @@ options { minimal-responses no; recursion yes; dnssec-validation yes; + min-refresh-time 1; + min-retry-time 1; response-policy { + zone "fast-expire"; zone "bl" max-policy-ttl 100; zone "bl-2"; zone "bl-given" policy given recursive-only yes; @@ -110,3 +113,10 @@ zone "manual-update-rpz." { file "manual-update-rpz.db"; notify no; }; + +zone "fast-expire." { + type secondary; + file "fast-expire.db"; + masters { 10.53.0.5; }; + notify no; +}; diff --git a/bin/tests/system/rpz/ns5/expire.conf.in b/bin/tests/system/rpz/ns5/expire.conf.in new file mode 100644 index 0000000000..305d46e27c --- /dev/null +++ b/bin/tests/system/rpz/ns5/expire.conf.in @@ -0,0 +1,17 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "fast-expire." { + type master; + file "fast-expire.db"; + allow-transfer { any; }; + notify no; +}; diff --git a/bin/tests/system/rpz/ns5/fast-expire.db.in b/bin/tests/system/rpz/ns5/fast-expire.db.in new file mode 100644 index 0000000000..d9afbde5d5 --- /dev/null +++ b/bin/tests/system/rpz/ns5/fast-expire.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ SOA fast-expire. hostmaster ( + 1 3 1 5 60 + ) + NS ns.tld3. + +expired.fast-expire. A 10.0.0.10 diff --git a/bin/tests/system/rpz/ns5/named.conf.in b/bin/tests/system/rpz/ns5/named.conf.in index 00d0725293..5bc624acf1 100644 --- a/bin/tests/system/rpz/ns5/named.conf.in +++ b/bin/tests/system/rpz/ns5/named.conf.in @@ -86,3 +86,5 @@ zone "policy2" { allow-update { any; }; allow-transfer { any; }; }; + +include "expire.conf"; diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index bd843a67c6..f0949880a7 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -74,6 +74,10 @@ done cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db +# a zone that expires quickly and then can't be refreshed +cp ns5/fast-expire.db.in ns5/fast-expire.db +cp ns5/expire.conf.in ns5/expire.conf + # $1=directory # $2=domain name # $3=input zone file diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index a85d5dfe1a..255779f785 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -759,6 +759,11 @@ EOF done fi + # reconfigure the ns5 master server without the fast-exire zone, so + # it can't be refreshed on ns3, and will expire in 5 seconds. + cat /dev/null > ns5/expire.conf + rndc_reconfig ns5 10.53.0.5 + # restart the main test RPZ server to see if that creates a core file if test -z "$HAVE_CORE"; then $PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} rpz ns3 @@ -854,6 +859,12 @@ EOF echo_i "checking rpz with delegation fails correctly (${t})" $DIG -p ${PORT} @$ns3 ns example.com > dig.out.$t grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed" + + t=`expr $t + 1` + echo_i "checking policies from expired zone are no longer in effect ($t)" + $DIG -p ${PORT} @$ns3 a expired > dig.out.$t + grep "expired.*10.0.0.10" dig.out.$t > /dev/null && setret "failed" + grep "fast-expire/IN: response-policy zone expired" ns3/named.run > /dev/null || setret "failed" fi # RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 senarios. diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 93a64130bc..24430e610a 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -10573,6 +10573,8 @@ dns_zone_expire(dns_zone_t *zone) { static void zone_expire(dns_zone_t *zone) { + dns_db_t *db = NULL; + /* * 'zone' locked by caller. */ @@ -10585,6 +10587,32 @@ zone_expire(dns_zone_t *zone) { zone->refresh = DNS_ZONE_DEFAULTREFRESH; zone->retry = DNS_ZONE_DEFAULTRETRY; DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS); + + /* + * An RPZ zone has expired; before unloading it, we must + * first remove it from the RPZ summary database. The + * easiest way to do this is "update" it with an empty + * database so that the update callback synchonizes + * the diff automatically. + */ + if (zone->rpzs != NULL && zone->rpz_num != DNS_RPZ_INVALID_NUM) { + isc_result_t result; + dns_rpz_zone_t *rpz = zone->rpzs->zones[zone->rpz_num]; + + CHECK(dns_db_create(zone->mctx, "rbt", &zone->origin, + dns_dbtype_zone, zone->rdclass, + 0, NULL, &db)); + CHECK(dns_rpz_dbupdate_callback(db, rpz)); + dns_zone_log(zone, ISC_LOG_WARNING, + "response-policy zone expired; " + "policies unloaded"); + } + + failure: + if (db != NULL) { + dns_db_detach(&db); + } + zone_unload(zone); }