From ec450fde7cee684f37b0a59d770330c700419610 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 1 Feb 2016 09:33:14 -0800
Subject: [PATCH] [master] disallow delzone on policiy zones

4311.	[bug]		Prevent "rndc delzone" from being used on
			response-policy zones. [RT #41593]
---
 CHANGES                                  |  3 +++
 bin/named/server.c                       | 10 ++++++++++
 bin/tests/system/addzone/ns2/named2.conf | 19 ++++++++++++-------
 bin/tests/system/addzone/tests.sh        |  9 +++++++--
 4 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 276391de97..689d283673 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4311.	[bug]		Prevent "rndc delzone" from being used on
+			response-policy zones. [RT #41593]
+
 4310.	[performance]	Use __builtin_expect() where available to annotate
 			conditions with known behavior. [RT #41411]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 3d38b4edbc..e5954aa0fc 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -10211,6 +10211,16 @@ ns_server_delzone(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
 
 	INSIST(zonename != NULL);
 
+	/* Is this a policy zone? */
+	if (dns_zone_get_rpz_num(zone) != DNS_RPZ_INVALID_NUM) {
+		TCHECK(putstr(text, "zone '"));
+		TCHECK(putstr(text, zonename));
+		TCHECK(putstr(text,
+			      "' cannot be deleted: response-policy zone."));
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
 	result = isc_task_beginexclusive(server->task);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	exclusive = ISC_TRUE;
diff --git a/bin/tests/system/addzone/ns2/named2.conf b/bin/tests/system/addzone/ns2/named2.conf
index 2669aa0856..6d52f14f1d 100644
--- a/bin/tests/system/addzone/ns2/named2.conf
+++ b/bin/tests/system/addzone/ns2/named2.conf
@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named2.conf,v 1.5 2011/06/17 23:47:49 tbox Exp $ */
-
 controls { /* empty */ };
 
 include "../../common/controls.conf";
@@ -33,10 +31,17 @@ view internal {
 	allow-new-zones no;
         recursion yes;
 
+	response-policy { zone "policy"; };
+
 	zone "." {
 		type hint;
 		file "../../common/root.hint";
 	};
+
+	zone "policy" {
+		type master;
+		file "normal.db";
+	};
 };
 
 view external {
@@ -54,9 +59,9 @@ view external {
 acl match { none; };
 acl nobody { none; };
 view extra {
-        match-clients { match; };
-        allow-new-zones yes;
-        allow-transfer { nobody; };
-        allow-query { nobody; };
-        allow-recursion { nobody; };
+	match-clients { match; };
+	allow-new-zones yes;
+	allow-transfer { nobody; };
+	allow-query { nobody; };
+	allow-recursion { nobody; };
 };
diff --git a/bin/tests/system/addzone/tests.sh b/bin/tests/system/addzone/tests.sh
index ffa934ef57..010619e1fc 100755
--- a/bin/tests/system/addzone/tests.sh
+++ b/bin/tests/system/addzone/tests.sh
@@ -14,8 +14,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.6 2011/06/17 23:47:49 tbox Exp $
-
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
@@ -356,6 +354,13 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:attempting to delete a policy zone ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 delzone 'policy in internal' 2>&1 | grep 'cannot be deleted' > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:ensure the configuration context is cleaned up correctly ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > /dev/null 2>&1 || ret=1