3627. [bug] RPZ changes were not effective on slaves. [RT #34450]

(cherry picked from commit 333f320a62d78e79fa54e7bcc389073a109618f7)

CHANGES

@@ -1,3 +1,5 @@
+3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
+
 3625.	[bug]		Don't send notify messages to machines outside of the
 			test setup.
 

bin/tests/system/rpz/clean.sh

@@ -19,7 +19,7 @@
 # Clean up after rpz tests.
 
 rm -f proto.* dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp
-rm -f ns*/*.key ns*/*.private ns2/tld2s.db
+rm -f ns*/*.key ns*/*.private ns2/tld2s.db ns2/bl.tld2.db
 rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf
 rm -f */named.memstats */named.run */named.stats */session.key
 rm -f */*.jnl */*.core */*.pid

bin/tests/system/rpz/ns2/bl.tld2.db.in

@@ -0,0 +1,28 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+
+; master for slave RPZ zone
+
+$TTL	3600
+@		SOA	rpz.tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
+		NS	ns2
+		NS	ns3
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
+
+32.1.7.168.192.rpz-ip	 CNAME	.

bin/tests/system/rpz/ns2/blv2.tld2.db.in

@@ -0,0 +1,26 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+
+; master for slave RPZ zone
+
+$TTL	3600
+@		SOA	rpz.tld2.  hostmaster.ns.tld2. ( 2 3600 1200 604800 60 )
+		NS	ns2
+		NS	ns3
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3

bin/tests/system/rpz/ns2/blv3.tld2.db.in

@@ -0,0 +1,28 @@
+; Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+
+
+; master for slave RPZ zone
+
+$TTL	3600
+@		SOA	rpz.tld2.  hostmaster.ns.tld2. ( 3 3600 1200 604800 60 )
+		NS	ns2
+		NS	ns3
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
+
+32.1.7.168.192.rpz-ip	 CNAME	.

bin/tests/system/rpz/ns2/named.conf

@@ -32,6 +32,14 @@ options {
 	notify no;
 };
 
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-sha256;
+};
+controls {
+        inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};
+
 include "../trusted.conf";
 zone "." { type hint; file "hints"; };
 
@@ -44,3 +52,5 @@ zone "sub3.tld2."	    {type master; file "tld2.db";};
 zone "subsub.sub3.tld2."    {type master; file "tld2.db";};
 
 zone "tld2s."		    {type master; file "tld2s.db";};
+
+zone "bl.tld2."		    {type master; file "bl.tld2.db"; notify yes; notify-delay 1;};

bin/tests/system/rpz/ns2/tld2.db

@@ -121,3 +121,6 @@ a6-1		A	192.168.6.1
 		TXT	"a6-1 tld2 text"
 a6-2		A	192.168.6.2
 		TXT	"a6-2 tld2 text"
+
+a7-1		A	192.168.7.1
+		TXT	"a7-1 tld2 text"

bin/tests/system/rpz/ns3/named.conf

@@ -46,6 +46,7 @@ options {
 	    zone "bl-cname"	policy cname txt-only.tld2.;
 	    zone "bl-wildcname"	policy cname *.tld4.;
 	    zone "bl-garden"	policy cname a12.tld2.;
+	    zone "bl.tld2";
 	} min-ns-dots 0;
 };
 
@@ -84,5 +85,8 @@ zone "bl-wildcname."	{type master; file "bl-wildcname.db";
 zone "bl-garden."	{type master; file "bl-garden.db";
 				allow-update {any;};};
 
+zone "bl.tld2."		{type slave; file "bl.tld2.db"; masters {10.53.0.2;};
+				request-ixfr no; masterfile-format text;};
+
 zone "crash1.tld2"	{type master; file "crash1";};
 zone "crash2.tld3."	{type master; file "crash2";};

bin/tests/system/rpz/setup.sh

@@ -110,3 +110,5 @@ $PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
 	printf("host-%05d.example.tld5 A\n", $val);
 	$val = ($val * 9 + 32771) % 65536;
 	}' >ns5/requests
+
+cp ns2/bl.tld2.db.in ns2/bl.tld2.db

bin/tests/system/rpz/tests.sh

@@ -57,11 +57,13 @@ comment () {
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s"
 
 digcmd () {
-    digcmd_args="+noadd +time=1 +tries=1 -p 5300 $*"
-    expr "$digcmd_args" : '.*@' >/dev/null || \
-	digcmd_args="$digcmd_args @$ns3"
-    expr "$digcmd_args" : '.*+[no]*auth' >/dev/null || \
-	digcmd_args="+noauth $digcmd_args"
+    # Default to +noauth and @$ns3
+    # Also default to -bX where X is the @value so that OS X will choose
+    #      the right IP source address.
+    digcmd_args=`echo "+noadd +time=1 +tries=1 -p 5300 $*" |   \
+	   sed -e "/@/!s/.*/& @$ns3/"                          \
+	       -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/'                \
+	       -e '/+n?o?auth/!s/.*/+noauth &/'`
     #echo I:dig $digcmd_args 1>&2
     $DIG $digcmd_args
 }
@@ -135,6 +137,7 @@ ckalive () {
 
 # check that statistics for $1 in $2 = $3
 ckstats () {
+    rm -f $2/named.stats
     $RNDCCMD $1 stats
     CNT=`sed -n -e 's/[	 ]*\([0-9]*\).response policy.*/\1/p'  \
 		    $2/named.stats`
@@ -309,6 +312,30 @@ addr 14.14.14.14 a5-4.tld2		# 13 prefer QNAME to IP
 nochange a5-4.tld2	    +norecurse	# 14 check that RD=1 is required
 nochange a4-4.tld2			# 15 PASSTHRU
 nxdomain c2.crash2.tld3			# 16 assert in rbtdb.c
+ckstats $ns3 ns3 29
+nxdomain a7-1.tld2			# 17 slave policy zone (RT34450)
+cp ns2/blv2.tld2.db.in ns2/bl.tld2.db
+$RNDCCMD 10.53.0.2 reload bl.tld2
+goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60"
+for i in 0 1 2 3 4 5 6 7 8 9 10
+do
+	soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3`
+	test "$soa" = "$goodsoa" && break
+	sleep 1
+done
+nochange a7-1.tld2			# 18 PASSTHRU
+sleep 1	# ensure that a clock tick has occured so that the reload takes effect
+cp ns2/blv3.tld2.db.in ns2/bl.tld2.db
+goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60"
+$RNDCCMD 10.53.0.2 reload bl.tld2
+for i in 0 1 2 3 4 5 6 7 8 9 10
+do
+	soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3`
+	test "$soa" = "$goodsoa" && break
+	sleep 1
+done
+nxdomain a7-1.tld2			# 19 slave policy zone (RT34450)
+ckstats $ns3 ns3 31
 end_group
 
 # check that IP addresses for previous group were deleted from the radix tree
@@ -463,8 +490,7 @@ else
     echo "I:performance not checked; queryperf not available"
 fi
 
-
-ckstats $ns3 ns3 55
+ckstats $ns3 ns3 57
 
 # restart the main test RPZ server to see if that creates a core file
 if test -z "$HAVE_CORE"; then

lib/dns/include/dns/zone.h

@@ -2086,6 +2086,12 @@ dns_zone_rpz_enable(dns_zone_t *zone);
  * Set the response policy associated with a zone.
  */
 
+isc_result_t
+dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db);
+/*%
+ * If a zone is a response policy zone, mark its new database.
+ */
+
 isc_boolean_t
 dns_zone_get_rpz(dns_zone_t *zone);
 

lib/dns/xfrin.c

@@ -270,13 +270,18 @@ axfr_init(dns_xfrin_ctx_t *xfr) {
 
 static isc_result_t
 axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) {
-	return (dns_db_create(xfr->mctx, /* XXX */
-			      "rbt", /* XXX guess */
-			      &xfr->name,
-			      dns_dbtype_zone,
-			      xfr->rdclass,
-			      0, NULL, /* XXX guess */
-			      dbp));
+	isc_result_t result;
+
+	result = dns_db_create(xfr->mctx, /* XXX */
+			       "rbt",	/* XXX guess */
+			       &xfr->name,
+			       dns_dbtype_zone,
+			       xfr->rdclass,
+			       0, NULL, /* XXX guess */
+			       dbp);
+	if (result == ISC_R_SUCCESS)
+		result = dns_zone_rpz_enable_db(xfr->zone, *dbp);
+	return (result);
 }
 
 static isc_result_t

lib/dns/zone.c

@@ -1534,6 +1534,18 @@ dns_zone_get_rpz(dns_zone_t *zone) {
 	return (zone->is_rpz);
 }
 
+/*
+ * If a zone is a response policy zone, mark its new database.
+ */
+isc_result_t
+dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) {
+#ifdef BIND9
+	if (zone->is_rpz)
+		return (dns_db_rpz_enabled(db, NULL));
+#endif
+	return (ISC_R_SUCCESS);
+}
+
 static isc_result_t
 zone_load(dns_zone_t *zone, unsigned int flags) {
 	isc_result_t result;
@@ -1987,14 +1999,9 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 	isc_result_t tresult;
 	unsigned int options;
 
-#ifdef BIND9
-	if (zone->is_rpz) {
-		result = dns_db_rpz_enabled(db, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-#endif
-
+	result = dns_zone_rpz_enable_db(zone, db);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 	options = get_master_options(zone);
 	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
 		options |= DNS_MASTER_MANYERRORS;