upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix #1079: tags from tagged rpz zones are no longer honored after

Browse source 
upgrade from 1.19.3 to 1.20.0.
This commit is contained in:
W.C.A. Wijngaards 2024-05-30 12:11:30 +02:00
parent 910d7cf446
commit b6c7ea563f
3 changed files with 269 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -1,3 +1,7 @@
30 May 2024: Wouter
- Fix #1079: tags from tagged rpz zones are no longer honored after
upgrade from 1.19.3 to 1.20.0.
29 May 2024: Wouter 29 May 2024: Wouter
- Merge #1078: Only check old pid if no username. - Merge #1078: Only check old pid if no username.

17
services/rpz.c
View file

@ -2435,11 +2435,10 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; } if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; }
az = ms->env->auth_zones; az = ms->env->auth_zones;
lock_rw_rdlock(&az->rpz_lock);
verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL); verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL);
lock_rw_rdlock(&az->rpz_lock);
/* precedence of RPZ works, loosely, like this: /* precedence of RPZ works, loosely, like this:
* CNAMEs in order of the CNAME chain. rpzs in the order they are * CNAMEs in order of the CNAME chain. rpzs in the order they are
* configured. In an RPZ: first client-IP addr, then QNAME, then * configured. In an RPZ: first client-IP addr, then QNAME, then
@ -2454,6 +2453,13 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
lock_rw_unlock(&a->lock); lock_rw_unlock(&a->lock);
continue; continue;
} }
if(r->taglist && ms->client_info &&
!taglist_intersect(r->taglist, r->taglistlen,
ms->client_info->taglist,
ms->client_info->taglen)) {
lock_rw_unlock(&a->lock);
continue;
}
/* the nsdname has precedence over the nsip triggers */ /* the nsdname has precedence over the nsip triggers */
z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones, z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones,
@ -2512,6 +2518,13 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
lock_rw_unlock(&a->lock); lock_rw_unlock(&a->lock);
continue; continue;
} }
if(r->taglist && ms->client_info &&
!taglist_intersect(r->taglist, r->taglistlen,
ms->client_info->taglist,
ms->client_info->taglen)) {
lock_rw_unlock(&a->lock);
continue;
}
z = rpz_find_zone(r->local_zones, is->qchase.qname, z = rpz_find_zone(r->local_zones, is->qchase.qname,
is->qchase.qname_len, is->qchase.qclass, 0, 0, 0); is->qchase.qname_len, is->qchase.qclass, 0, 0, 0);
if(z && r->action_override == RPZ_DISABLED_ACTION) { if(z && r->action_override == RPZ_DISABLED_ACTION) {

250
testdata/rpz_cname_tag.rpl vendored Normal file
View file

@ -0,0 +1,250 @@
; config options
server:
module-config: "respip validator iterator"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: no
access-control: 192.0.0.0/8 allow
define-tag: "internal server"
access-control-tag: 192.0.0.0/8 "internal"
access-control-tag: 127.0.0.0/8 "server"
rpz:
name: "rpz.example.com."
rpz-log: yes
rpz-log-name: "rpz.example.com"
tags: "internal"
zonefile:
TEMPFILE_NAME rpz.example.com
TEMPFILE_CONTENTS rpz.example.com
$ORIGIN example.com.
rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
1379078166 28800 7200 604800 7200 )
3600 IN NS ns1.rpz.example.com.
3600 IN NS ns2.rpz.example.com.
$ORIGIN rpz.example.com.
www.gotham.a A 1.2.3.61
www.gotham2.a CNAME g2.target.a.
g2.target.a A 1.2.3.62
www.gotham3.a CNAME g3.target.a.
g3.target.a CNAME g3b.target.a.
g3b.target.a A 1.2.3.63
www.gotham4.a CNAME g4.target.a.
g4.target.a CNAME g4b.target.a.
g4b.target.a CNAME g4c.target.a.
g4c.target.a A 1.2.3.64
; server for a.
32.40.30.20.10.rpz-nsip A 1.2.3.68
TEMPFILE_END
stub-zone:
name: "a."
stub-addr: 10.20.30.40
CONFIG_END
SCENARIO_BEGIN Test RPZ handling of CNAMEs and tags.
; a.
RANGE_BEGIN 0 1000
ADDRESS 10.20.30.40
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
target.a. IN A
SECTION ANSWER
target.a. IN A 1.2.3.6
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham.a. IN A
SECTION ANSWER
www.gotham.a. IN A 1.2.3.5
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham2.a. IN A
SECTION ANSWER
www.gotham2.a. IN A 1.2.3.52
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham3.a. IN A
SECTION ANSWER
www.gotham3.a. IN A 1.2.3.53
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham4.a. IN A
SECTION ANSWER
www.gotham4.a. IN A 1.2.3.54
ENTRY_END
RANGE_END
; Test with zero rpz CNAMEs, no tag match for rpz answer.
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham.a. IN A
ENTRY_END
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.gotham.a. IN A
SECTION ANSWER
www.gotham.a. A 1.2.3.5
ENTRY_END
; Test with one rpz CNAME, no tag match for rpz answer.
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham2.a. IN A
ENTRY_END
STEP 21 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.gotham2.a. IN A
SECTION ANSWER
www.gotham2.a. A 1.2.3.52
ENTRY_END
; Test with two rpz CNAMEs, no tag match for rpz answer.
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham3.a. IN A
ENTRY_END
STEP 31 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.gotham3.a. IN A
SECTION ANSWER
www.gotham3.a. A 1.2.3.53
ENTRY_END
; Test with three rpz CNAMEs, no tag match for rpz answer.
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham4.a. IN A
ENTRY_END
STEP 41 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.gotham4.a. IN A
SECTION ANSWER
www.gotham4.a. A 1.2.3.54
ENTRY_END
; Test with zero rpz CNAMEs, rpz answer. Tag "internal"
STEP 50 QUERY ADDRESS 192.0.0.1
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham.a. IN A
ENTRY_END
STEP 51 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AA NOERROR
SECTION QUESTION
www.gotham.a. IN A
SECTION ANSWER
www.gotham.a. A 1.2.3.61
ENTRY_END
; Test with one rpz CNAME, rpz answer. Tag "internal"
STEP 60 QUERY ADDRESS 192.0.0.1
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham2.a. IN A
ENTRY_END
STEP 61 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AA NOERROR
SECTION QUESTION
www.gotham2.a. IN A
SECTION ANSWER
www.gotham2.a. CNAME g2.target.a.
g2.target.a. A 1.2.3.62
ENTRY_END
; Test with two rpz CNAMEs, rpz answer. Tag "internal"
STEP 70 QUERY ADDRESS 192.0.0.1
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham3.a. IN A
ENTRY_END
STEP 71 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AA NOERROR
SECTION QUESTION
www.gotham3.a. IN A
SECTION ANSWER
www.gotham3.a. CNAME g3.target.a.
g3.target.a. CNAME g3b.target.a.
g3b.target.a. A 1.2.3.63
ENTRY_END
; Test with three rpz CNAMEs, rpz answer. Tag "internal"
STEP 80 QUERY ADDRESS 192.0.0.1
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham4.a. IN A
ENTRY_END
STEP 81 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AA NOERROR
SECTION QUESTION
www.gotham4.a. IN A
SECTION ANSWER
www.gotham4.a. CNAME g4.target.a.
g4.target.a. CNAME g4b.target.a.
g4b.target.a. CNAME g4c.target.a.
g4c.target.a. A 1.2.3.64
ENTRY_END
SCENARIO_END