fix: usr: Fix a possible issue with reponse policy zones and catalog zones

If a response policy zone (RPZ) or a catalog zone contained an `$INCLUDE` directive, then manually reloading that zone could fail to process the changes in the response policy or in the catalog, respectively. This has been fixed. Closes #5714 Merge branch '5714-zone_loaddone-rpz-and-catz-bugfix' into 'main' See merge request isc-projects/bind9!11489
2026-05-23 02:28:55 -04:00 · 2026-01-27 11:32:07 +00:00 · 2026-01-27 11:32:07 +00:00 · fd568032ac
commit fd568032ac
parent f81e90e3e1 d81a2457d6
9 changed files with 70 additions and 1 deletions
--- a/bin/tests/system/rpz/ns2/tld2.db
+++ b/bin/tests/system/rpz/ns2/tld2.db
@ -123,3 +123,6 @@ a7-1		A	192.168.7.1

 a7-2		A	192.168.7.2
 		TXT	"a7-2 tld2 text"
+
+a8-1		A	192.168.8.1
+		TXT	"a8-1 tld2 text"
--- a/bin/tests/system/rpz/ns3/include-rpz.db.in
+++ b/bin/tests/system/rpz/ns3/include-rpz.db.in
@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+$INCLUDE include-rpz.inc
--- a/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 1 3600 1200 604800 60 )
+	NS	ns.tld3.
--- a/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 2 3600 1200 604800 60 )
+	NS	ns.tld3.
+
+a8-1.tld2	CNAME	.
--- a/bin/tests/system/rpz/ns3/named.conf.j2
+++ b/bin/tests/system/rpz/ns3/named.conf.j2
@ -53,6 +53,7 @@ options {
 	    zone "bl.tld2";
 	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
+	    zone "include-rpz";
 	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
 	    zone "wild-cname"  ede blocked;
 	    zone "slow-rpz";
@ -129,6 +130,12 @@ zone "mixed-case-rpz." {
 	notify no;
 };

+zone "include-rpz." {
+	type primary;
+	file "include-rpz.db";
+	notify no;
+};
+
 zone "slow-rpz." {
    type primary;
    file "slow-rpz.db";
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@ -38,6 +38,9 @@ cp ns3/wild-cname.db.in ns3/wild-cname.db

 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db

+cp ns3/include-rpz.db.in ns3/include-rpz.db
+cp ns3/include-rpz.inc-1.in ns3/include-rpz.inc
+
 # a "big" zone (tested with '-T rpzslow' enabled to slow down loading)
 cp ns3/slow-rpz.db.in ns3/slow-rpz.db

--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -707,6 +707,16 @@ sleep 1
 $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed"
 grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed"

+t=$((t + 1))
+echo_i "checking rpz with included rules can reload (${t})"
+$DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.before || setret "failed"
+grep "status: NOERROR" dig.out.$t.before >/dev/null || setret "failed"
+cp ns3/include-rpz.inc-2.in ns3/include-rpz.inc
+rndc_reload ns3 $ns3 include-rpz
+sleep 1
+$DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.after || setret "failed"
+grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed"
+
 t=$((t + 1))
 echo_i "checking the default (unset) extended DNS error code (EDE) (${t})"
 $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed"
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@ -39,6 +39,8 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/bl.tld2.db",
        "ns3/evil-cname.db",
        "ns3/fast-expire.db",
+        "ns3/include-rpz.db",
+        "ns3/include-rpz.inc",
        "ns3/manual-update-rpz.db",
        "ns3/mixed-case-rpz.db",
        "ns3/named.conf.tmp",
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -17559,7 +17559,7 @@ zone_loaddone(void *arg, isc_result_t result) {
 	 * If zone loading failed, remove the update db callbacks prior
 	 * to calling the list of callbacks in the zone load structure.
 	 */
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
 		dns_zone_rpz_disable_db(zone, load->db);
 		dns_zone_catz_disable_db(zone, load->db);
 	}