From dab73dfc86c094ba44787d59a78cbde364ec4963 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 9 Aug 2013 11:35:22 +1000 Subject: [PATCH] 3627. [bug] RPZ changes were not effective on slaves. [RT #34450] (cherry picked from commit 333f320a62d78e79fa54e7bcc389073a109618f7) --- CHANGES | 2 ++ bin/tests/system/rpz/clean.sh | 2 +- bin/tests/system/rpz/ns2/bl.tld2.db.in | 28 +++++++++++++++++ bin/tests/system/rpz/ns2/blv2.tld2.db.in | 26 +++++++++++++++ bin/tests/system/rpz/ns2/blv3.tld2.db.in | 28 +++++++++++++++++ bin/tests/system/rpz/ns2/named.conf | 10 ++++++ bin/tests/system/rpz/ns2/tld2.db | 3 ++ bin/tests/system/rpz/ns3/named.conf | 4 +++ bin/tests/system/rpz/setup.sh | 2 ++ bin/tests/system/rpz/tests.sh | 40 +++++++++++++++++++----- lib/dns/include/dns/zone.h | 6 ++++ lib/dns/xfrin.c | 19 ++++++----- lib/dns/zone.c | 23 +++++++++----- 13 files changed, 170 insertions(+), 23 deletions(-) create mode 100644 bin/tests/system/rpz/ns2/bl.tld2.db.in create mode 100644 bin/tests/system/rpz/ns2/blv2.tld2.db.in create mode 100644 bin/tests/system/rpz/ns2/blv3.tld2.db.in diff --git a/CHANGES b/CHANGES index e313f0c11d..005c68cb00 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +3627. [bug] RPZ changes were not effective on slaves. [RT #34450] + 3625. [bug] Don't send notify messages to machines outside of the test setup. diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh index d0c47976e3..ed10bcda8d 100644 --- a/bin/tests/system/rpz/clean.sh +++ b/bin/tests/system/rpz/clean.sh @@ -19,7 +19,7 @@ # Clean up after rpz tests. rm -f proto.* dsset-* random.data trusted.conf dig.out* nsupdate.tmp ns*/*tmp -rm -f ns*/*.key ns*/*.private ns2/tld2s.db +rm -f ns*/*.key ns*/*.private ns2/tld2s.db ns2/bl.tld2.db rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf rm -f */named.memstats */named.run */named.stats */session.key rm -f */*.jnl */*.core */*.pid diff --git a/bin/tests/system/rpz/ns2/bl.tld2.db.in b/bin/tests/system/rpz/ns2/bl.tld2.db.in new file mode 100644 index 0000000000..84116807d1 --- /dev/null +++ b/bin/tests/system/rpz/ns2/bl.tld2.db.in @@ -0,0 +1,28 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + + +; master for slave RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . diff --git a/bin/tests/system/rpz/ns2/blv2.tld2.db.in b/bin/tests/system/rpz/ns2/blv2.tld2.db.in new file mode 100644 index 0000000000..bd5a48444c --- /dev/null +++ b/bin/tests/system/rpz/ns2/blv2.tld2.db.in @@ -0,0 +1,26 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + + +; master for slave RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 2 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 diff --git a/bin/tests/system/rpz/ns2/blv3.tld2.db.in b/bin/tests/system/rpz/ns2/blv3.tld2.db.in new file mode 100644 index 0000000000..a4797b016c --- /dev/null +++ b/bin/tests/system/rpz/ns2/blv3.tld2.db.in @@ -0,0 +1,28 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + + +; master for slave RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 3 3600 1200 604800 60 ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . diff --git a/bin/tests/system/rpz/ns2/named.conf b/bin/tests/system/rpz/ns2/named.conf index c2235af24b..2b3d65a7b8 100644 --- a/bin/tests/system/rpz/ns2/named.conf +++ b/bin/tests/system/rpz/ns2/named.conf @@ -32,6 +32,14 @@ options { notify no; }; +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + include "../trusted.conf"; zone "." { type hint; file "hints"; }; @@ -44,3 +52,5 @@ zone "sub3.tld2." {type master; file "tld2.db";}; zone "subsub.sub3.tld2." {type master; file "tld2.db";}; zone "tld2s." {type master; file "tld2s.db";}; + +zone "bl.tld2." {type master; file "bl.tld2.db"; notify yes; notify-delay 1;}; diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db index eeb4315303..0348412367 100644 --- a/bin/tests/system/rpz/ns2/tld2.db +++ b/bin/tests/system/rpz/ns2/tld2.db @@ -121,3 +121,6 @@ a6-1 A 192.168.6.1 TXT "a6-1 tld2 text" a6-2 A 192.168.6.2 TXT "a6-2 tld2 text" + +a7-1 A 192.168.7.1 + TXT "a7-1 tld2 text" diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf index 2acb977421..4553b97067 100644 --- a/bin/tests/system/rpz/ns3/named.conf +++ b/bin/tests/system/rpz/ns3/named.conf @@ -46,6 +46,7 @@ options { zone "bl-cname" policy cname txt-only.tld2.; zone "bl-wildcname" policy cname *.tld4.; zone "bl-garden" policy cname a12.tld2.; + zone "bl.tld2"; } min-ns-dots 0; }; @@ -84,5 +85,8 @@ zone "bl-wildcname." {type master; file "bl-wildcname.db"; zone "bl-garden." {type master; file "bl-garden.db"; allow-update {any;};}; +zone "bl.tld2." {type slave; file "bl.tld2.db"; masters {10.53.0.2;}; + request-ixfr no; masterfile-format text;}; + zone "crash1.tld2" {type master; file "crash1";}; zone "crash2.tld3." {type master; file "crash2";}; diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index 5a0f904670..d5b02c7398 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -110,3 +110,5 @@ $PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) { printf("host-%05d.example.tld5 A\n", $val); $val = ($val * 9 + 32771) % 65536; }' >ns5/requests + +cp ns2/bl.tld2.db.in ns2/bl.tld2.db diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 5b6c4bf50d..34365949ce 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -57,11 +57,13 @@ comment () { RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s" digcmd () { - digcmd_args="+noadd +time=1 +tries=1 -p 5300 $*" - expr "$digcmd_args" : '.*@' >/dev/null || \ - digcmd_args="$digcmd_args @$ns3" - expr "$digcmd_args" : '.*+[no]*auth' >/dev/null || \ - digcmd_args="+noauth $digcmd_args" + # Default to +noauth and @$ns3 + # Also default to -bX where X is the @value so that OS X will choose + # the right IP source address. + digcmd_args=`echo "+noadd +time=1 +tries=1 -p 5300 $*" | \ + sed -e "/@/!s/.*/& @$ns3/" \ + -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ + -e '/+n?o?auth/!s/.*/+noauth &/'` #echo I:dig $digcmd_args 1>&2 $DIG $digcmd_args } @@ -135,6 +137,7 @@ ckalive () { # check that statistics for $1 in $2 = $3 ckstats () { + rm -f $2/named.stats $RNDCCMD $1 stats CNT=`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ $2/named.stats` @@ -309,6 +312,30 @@ addr 14.14.14.14 a5-4.tld2 # 13 prefer QNAME to IP nochange a5-4.tld2 +norecurse # 14 check that RD=1 is required nochange a4-4.tld2 # 15 PASSTHRU nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c +ckstats $ns3 ns3 29 +nxdomain a7-1.tld2 # 17 slave policy zone (RT34450) +cp ns2/blv2.tld2.db.in ns2/bl.tld2.db +$RNDCCMD 10.53.0.2 reload bl.tld2 +goodsoa="rpz.tld2. hostmaster.ns.tld2. 2 3600 1200 604800 60" +for i in 0 1 2 3 4 5 6 7 8 9 10 +do + soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3` + test "$soa" = "$goodsoa" && break + sleep 1 +done +nochange a7-1.tld2 # 18 PASSTHRU +sleep 1 # ensure that a clock tick has occured so that the reload takes effect +cp ns2/blv3.tld2.db.in ns2/bl.tld2.db +goodsoa="rpz.tld2. hostmaster.ns.tld2. 3 3600 1200 604800 60" +$RNDCCMD 10.53.0.2 reload bl.tld2 +for i in 0 1 2 3 4 5 6 7 8 9 10 +do + soa=`$DIG -p 5300 +short soa bl.tld2 @10.53.0.3 -b10.53.0.3` + test "$soa" = "$goodsoa" && break + sleep 1 +done +nxdomain a7-1.tld2 # 19 slave policy zone (RT34450) +ckstats $ns3 ns3 31 end_group # check that IP addresses for previous group were deleted from the radix tree @@ -463,8 +490,7 @@ else echo "I:performance not checked; queryperf not available" fi - -ckstats $ns3 ns3 55 +ckstats $ns3 ns3 57 # restart the main test RPZ server to see if that creates a core file if test -z "$HAVE_CORE"; then diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index f91801f6fe..9efa1e7297 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -2086,6 +2086,12 @@ dns_zone_rpz_enable(dns_zone_t *zone); * Set the response policy associated with a zone. */ +isc_result_t +dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db); +/*% + * If a zone is a response policy zone, mark its new database. + */ + isc_boolean_t dns_zone_get_rpz(dns_zone_t *zone); diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 813f616e6f..9ad8960a54 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -270,13 +270,18 @@ axfr_init(dns_xfrin_ctx_t *xfr) { static isc_result_t axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) { - return (dns_db_create(xfr->mctx, /* XXX */ - "rbt", /* XXX guess */ - &xfr->name, - dns_dbtype_zone, - xfr->rdclass, - 0, NULL, /* XXX guess */ - dbp)); + isc_result_t result; + + result = dns_db_create(xfr->mctx, /* XXX */ + "rbt", /* XXX guess */ + &xfr->name, + dns_dbtype_zone, + xfr->rdclass, + 0, NULL, /* XXX guess */ + dbp); + if (result == ISC_R_SUCCESS) + result = dns_zone_rpz_enable_db(xfr->zone, *dbp); + return (result); } static isc_result_t diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 6e9f49afda..426ba204af 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -1534,6 +1534,18 @@ dns_zone_get_rpz(dns_zone_t *zone) { return (zone->is_rpz); } +/* + * If a zone is a response policy zone, mark its new database. + */ +isc_result_t +dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) { +#ifdef BIND9 + if (zone->is_rpz) + return (dns_db_rpz_enabled(db, NULL)); +#endif + return (ISC_R_SUCCESS); +} + static isc_result_t zone_load(dns_zone_t *zone, unsigned int flags) { isc_result_t result; @@ -1987,14 +1999,9 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) { isc_result_t tresult; unsigned int options; -#ifdef BIND9 - if (zone->is_rpz) { - result = dns_db_rpz_enabled(db, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } -#endif - + result = dns_zone_rpz_enable_db(zone, db); + if (result != ISC_R_SUCCESS) + return (result); options = get_master_options(zone); if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) options |= DNS_MASTER_MANYERRORS;