diff --git a/CHANGES b/CHANGES index 8a2612c748..f04dc4445c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4311. [bug] Prevent "rndc delzone" from being used on + response-policy zones. [RT #41593] + 4310. [performance] Use __builtin_expect() where available to annotate conditions with known behavior. [RT #41411] diff --git a/bin/named/server.c b/bin/named/server.c index 35c0aafa89..ba327dd62e 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -9214,7 +9214,7 @@ inuse(const char* file, isc_boolean_t first, isc_buffer_t *text) { */ isc_result_t ns_server_del_zone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) { - isc_result_t result; + isc_result_t result, tresult; dns_zone_t *zone = NULL; dns_zone_t *raw = NULL; dns_zone_t *mayberaw; @@ -9247,10 +9247,6 @@ ns_server_del_zone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) { goto cleanup; } - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - exclusive = ISC_TRUE; - /* * Was this zone originally added at runtime? * If not, we can't delete it now. @@ -9260,8 +9256,22 @@ ns_server_del_zone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) { goto cleanup; } + /* Is this a policy zone? */ + if (dns_zone_get_rpz_num(zone) != DNS_RPZ_INVALID_NUM) { + TCHECK(putstr(text, "zone '")); + TCHECK(putstr(text, zonename)); + TCHECK(putstr(text, + "' cannot be deleted: response-policy zone.")); + result = ISC_R_FAILURE; + goto cleanup; + } + znamelen = strlen(zonename); + result = isc_task_beginexclusive(server->task); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + exclusive = ISC_TRUE; + /* Dig out configuration for this zone */ view = dns_zone_getview(zone); filename = view->new_zone_file; @@ -9392,8 +9402,6 @@ ns_server_del_zone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t *text) { dns_zone_getraw(zone, &raw); mayberaw = (raw != NULL) ? raw : zone; if (cleanup) { - isc_result_t tresult; - file = dns_zone_getfile(mayberaw); if (isc_file_exists(file)) isc_file_remove(file); diff --git a/bin/tests/system/addzone/ns2/named2.conf b/bin/tests/system/addzone/ns2/named2.conf index 2669aa0856..6d52f14f1d 100644 --- a/bin/tests/system/addzone/ns2/named2.conf +++ b/bin/tests/system/addzone/ns2/named2.conf @@ -14,8 +14,6 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named2.conf,v 1.5 2011/06/17 23:47:49 tbox Exp $ */ - controls { /* empty */ }; include "../../common/controls.conf"; @@ -33,10 +31,17 @@ view internal { allow-new-zones no; recursion yes; + response-policy { zone "policy"; }; + zone "." { type hint; file "../../common/root.hint"; }; + + zone "policy" { + type master; + file "normal.db"; + }; }; view external { @@ -54,9 +59,9 @@ view external { acl match { none; }; acl nobody { none; }; view extra { - match-clients { match; }; - allow-new-zones yes; - allow-transfer { nobody; }; - allow-query { nobody; }; - allow-recursion { nobody; }; + match-clients { match; }; + allow-new-zones yes; + allow-transfer { nobody; }; + allow-query { nobody; }; + allow-recursion { nobody; }; }; diff --git a/bin/tests/system/addzone/tests.sh b/bin/tests/system/addzone/tests.sh index dd09cccafa..791cff331f 100755 --- a/bin/tests/system/addzone/tests.sh +++ b/bin/tests/system/addzone/tests.sh @@ -14,8 +14,6 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.6 2011/06/17 23:47:49 tbox Exp $ - SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -303,6 +301,13 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:attempting to delete a policy zone ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 delzone 'policy in internal' 2>&1 | grep 'cannot be deleted' > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:ensure the configuration context is cleaned up correctly ($n)" ret=0 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > /dev/null 2>&1 || ret=1