From 9fa2a0deed3b880f3bf04d4f615c13a0d67cc0ce Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Sat, 21 Sep 2013 17:27:43 +1000
Subject: [PATCH] 3652.   [bug]           Address bug with rpz-drop policy. [RT
 #34816]

---
 CHANGES                       | 2 ++
 bin/named/query.c             | 6 +++++-
 bin/tests/system/rpz/tests.sh | 4 ++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index d1d6752790..f3844adb47 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3652.	[bug]		Address bug with rpz-drop policy. [RT #34816]
+
 3651.	[tuning]	Adjust when a master server is deemed unreachable.
 			[RT #27075]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 3d2dad50ea..eec7890351 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6489,7 +6489,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			case DNS_RPZ_POLICY_DROP:
 				result = ISC_R_SUCCESS;
 				QUERY_ERROR(DNS_R_DROP);
-				break;
+				rpz_log_rewrite(client, ISC_FALSE,
+						rpz_st->m.policy,
+						rpz_st->m.type, zone,
+						rpz_st->p_name);
+				goto cleanup;
 			case DNS_RPZ_POLICY_NXDOMAIN:
 				result = DNS_R_NXDOMAIN;
 				break;
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 7f8a18d078..85017723f3 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -325,7 +325,7 @@ nxdomain a0-1s-cname.tld2s  +dnssec	# 28 DNSSEC too early in CNAME chain
 nochange a0-1-scname.tld2   +dnssec	# 29 DNSSEC on target in CNAME chain
 nochange a0-1.tld2s srv +auth +dnssec	# 30 no write for DNSSEC and no record
 nxdomain a0-1.tld2s srv	    +nodnssec	# 31
-drop a3-8.tld2				# 32 drop
+drop a3-8.tld2 any			# 32 drop
 nochange tcp a3-9.tld2			# 33 tcp-only
 here x.servfail <<'EOF'			# 34 qname-wait-recurse yes
     ;; status: SERVFAIL, x
@@ -461,7 +461,7 @@ addr 59.59.59.59 a3-9.sub9.tld2		# 14 bl_wildcname
 addr 12.12.12.12 a3-15.tld2		# 15 bl-garden	via CNAME to a12.tld2
 addr 127.0.0.16 a3-16.tld2	    100	# 16 bl		    max-policy-ttl 100
 addr 17.17.17.17 "a3-17.tld2 @$ns5" 90	# 17 ns5 bl	    max-policy-ttl 90
-drop a3-18.tld2				# 18 bl-drop
+drop a3-18.tld2 any			# 18 bl-drop
 nxdomain TCP a3-19.tld2			# 19 bl-tcp-only
 end_group
 ckstats $ns3 test5 ns3 12