From 2d48cb33e33c2c424ccb13ca6fd418d000e3af70 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 26 Feb 2025 13:32:20 +0000 Subject: [PATCH 1/2] Fix TTL issue with ANY queries processed through RPZ "passthru" Answers to an "ANY" query which are processed by the RPZ "passthru" policy have the response-policy's 'max-policy-ttl' value unexpectedly applied. Do not change the records' TTL when RPZ uses a policy which does not alter the answer. (cherry picked from commit 5633dc90d3f4d3e2bd4d461e07fcd8d611843e7f) --- lib/ns/query.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index e0fb69e4d8..9e44554d8f 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -8005,7 +8005,10 @@ query_respond_any(query_ctx_t *qctx) { } qctx->rpz_st = qctx->client->query.rpz_st; - if (qctx->rpz_st != NULL) { + if (qctx->rpz_st != NULL && + qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS && + qctx->rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU) + { qctx->rdataset->ttl = ISC_MIN(qctx->rdataset->ttl, qctx->rpz_st->m.ttl); From 533d8c099da7276f92dd7ea5cb811b22d2ea8010 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 26 Feb 2025 13:37:57 +0000 Subject: [PATCH 2/2] Test that RPZ "passthru" doesn't alter the answer's TTL with ANY queries Expand the test_rpz_passthru_logging() check in the "rpzextra" system test to check the answer's TTL values with ANY type queries. (cherry picked from commit 98ff3a4432172b1c5c869969f122b6204c2eb7ee) --- bin/tests/system/rpzextra/tests_rpzextra.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/bin/tests/system/rpzextra/tests_rpzextra.py b/bin/tests/system/rpzextra/tests_rpzextra.py index 359b7aab43..33b6d1529d 100644 --- a/bin/tests/system/rpzextra/tests_rpzextra.py +++ b/bin/tests/system/rpzextra/tests_rpzextra.py @@ -102,6 +102,23 @@ def test_rpz_passthru_logging(): dns.rrset.from_text("allowed.", 300, "IN", "A", "10.53.0.2") ] + # Should also generate a log entry into rpz_passthru.txt + msg_allowed_any = dns.message.make_query("allowed.", "ANY") + res_allowed_any = isctest.query.udp( + msg_allowed_any, + resolver_ip, + source="10.53.0.1", + expected_rcode=dns.rcode.NOERROR, + ) + assert res_allowed_any.answer == [ + dns.rrset.from_text("allowed.", 300, "IN", "NS", "ns1.allowed."), + dns.rrset.from_text("allowed.", 300, "IN", "A", "10.53.0.2"), + ] + # The comparison above doesn't compare the TTL values, and we want to + # make sure that the "passthru" rpz doesn't cap the TTL with max-policy-ttl. + assert res_allowed_any.answer[0].ttl > 200 + assert res_allowed_any.answer[1].ttl > 200 + # baddomain.com isn't allowed (CNAME .), should return NXDOMAIN # Should generate a log entry into rpz.txt msg_not_allowed = dns.message.make_query("baddomain.", "A")