bind/backport-0032-Check-the-cache-as-well-when-glue-NS-are-returned-pr.patch

From 8f23d56fba79ca063e3deacca973d89b327ccaed Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 4 May 2022 17:08:27 +1000
Subject: [PATCH] Check the cache as well when glue NS are returned processing
 RPZ

(cherry picked from commit 8fb72012e36961ff62a29d5f4599b3c41e48e7c9)
Conflict: adapt seg3 and FALLTHROUGH
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8f23d56fba79ca063e3deacca973d89b327ccaed
---
 lib/ns/query.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index f4547a5..5ba732f 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -3937,6 +3937,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 	dns_rpz_have_t have;
 	dns_rpz_popt_t popt;
 	int rpz_ver;
+	unsigned int options;
 #ifdef USE_DNSRPS
 	librpz_emsg_t emsg;
 #endif /* ifdef USE_DNSRPS */
@@ -4187,7 +4188,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 
 	dns_fixedname_init(&nsnamef);
 	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
+	options = DNS_DBFIND_GLUEOK;
 	while (st->r.label > st->popt.min_ns_labels) {
+		bool was_glue = false;
 		/*
 		 * Get NS rrset for each domain in the current qname.
 		 */
@@ -4202,7 +4205,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 		    !dns_rdataset_isassociated(st->r.ns_rdataset)) {
 			dns_db_t *db = NULL;
 			result = rpz_rrset_find(client, nsname,
-						dns_rdatatype_ns,
+						dns_rdatatype_ns, options,
 						DNS_RPZ_TYPE_NSDNAME, &db, NULL,
 						&st->r.ns_rdataset, resuming);
 			if (db != NULL) {
@@ -4212,8 +4215,10 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 				goto cleanup;
 			}
 			switch (result) {
-			case ISC_R_SUCCESS:
 			case DNS_R_GLUE:
+				was_glue = true;
+				/* FALLTHROUGH */
+			case ISC_R_SUCCESS:
 				result = dns_rdataset_first(st->r.ns_rdataset);
 				if (result != ISC_R_SUCCESS) {
 					goto cleanup;
@@ -4252,6 +4257,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 				continue;
 			}
 		}
+
 		/*
 		 * Check all NS names.
 		 */
@@ -4302,7 +4308,17 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 			result = dns_rdataset_next(st->r.ns_rdataset);
 		} while (result == ISC_R_SUCCESS);
 		dns_rdataset_disassociate(st->r.ns_rdataset);
-		st->r.label--;
+
+		/*
+		 * If we just checked a glue NS RRset retry without allowing
+		 * glue responses, otherwise setup for the next name.
+		 */
+		if (was_glue) {
+			options = 0;
+		} else {
+			options = DNS_DBFIND_GLUEOK;
+			st->r.label--;
+		}
 
 		if (rpz_get_zbits(client, dns_rdatatype_any,
 				  DNS_RPZ_TYPE_NSDNAME) == 0 &&
-- 
2.27.0
backport bugfix patches 2022-12-26 15:55:21 +08:00			`From 8f23d56fba79ca063e3deacca973d89b327ccaed Mon Sep 17 00:00:00 2001`
			`From: Mark Andrews <marka@isc.org>`
			`Date: Wed, 4 May 2022 17:08:27 +1000`
			`Subject: [PATCH] Check the cache as well when glue NS are returned processing`
			`RPZ`

			`(cherry picked from commit 8fb72012e36961ff62a29d5f4599b3c41e48e7c9)`
			`Conflict: adapt seg3 and FALLTHROUGH`
			`Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8f23d56fba79ca063e3deacca973d89b327ccaed`
			`---`
			`lib/ns/query.c \| 28 ++++++++++++++++++++++------`
			`1 file changed, 22 insertions(+), 6 deletions(-)`

			`diff --git a/lib/ns/query.c b/lib/ns/query.c`
			`index f4547a5..5ba732f 100644`
			`--- a/lib/ns/query.c`
			`+++ b/lib/ns/query.c`
			`@@ -3937,6 +3937,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,`
			`dns_rpz_have_t have;`
			`dns_rpz_popt_t popt;`
			`int rpz_ver;`
			`+ unsigned int options;`
			`#ifdef USE_DNSRPS`
			`librpz_emsg_t emsg;`
			`#endif /* ifdef USE_DNSRPS */`
			`@@ -4187,7 +4188,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,`

			`dns_fixedname_init(&nsnamef);`
			`dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));`
			`+ options = DNS_DBFIND_GLUEOK;`
			`while (st->r.label > st->popt.min_ns_labels) {`
			`+ bool was_glue = false;`
			`/*`
			`* Get NS rrset for each domain in the current qname.`
			`*/`
			`@@ -4202,7 +4205,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,`
			`!dns_rdataset_isassociated(st->r.ns_rdataset)) {`
			`dns_db_t *db = NULL;`
			`result = rpz_rrset_find(client, nsname,`
			`- dns_rdatatype_ns,`
			`+ dns_rdatatype_ns, options,`
			`DNS_RPZ_TYPE_NSDNAME, &db, NULL,`
			`&st->r.ns_rdataset, resuming);`
			`if (db != NULL) {`
			`@@ -4212,8 +4215,10 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,`
			`goto cleanup;`
			`}`
			`switch (result) {`
			`- case ISC_R_SUCCESS:`
			`case DNS_R_GLUE:`
			`+ was_glue = true;`
			`+ /* FALLTHROUGH */`
			`+ case ISC_R_SUCCESS:`
			`result = dns_rdataset_first(st->r.ns_rdataset);`
			`if (result != ISC_R_SUCCESS) {`
			`goto cleanup;`
			`@@ -4252,6 +4257,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,`
			`continue;`
			`}`
			`}`
			`+`
			`/*`
			`* Check all NS names.`
			`*/`
			`@@ -4302,7 +4308,17 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,`
			`result = dns_rdataset_next(st->r.ns_rdataset);`
			`} while (result == ISC_R_SUCCESS);`
			`dns_rdataset_disassociate(st->r.ns_rdataset);`
			`- st->r.label--;`
			`+`
			`+ /*`
			`+ * If we just checked a glue NS RRset retry without allowing`
			`+ * glue responses, otherwise setup for the next name.`
			`+ */`
			`+ if (was_glue) {`
			`+ options = 0;`
			`+ } else {`
			`+ options = DNS_DBFIND_GLUEOK;`
			`+ st->r.label--;`
			`+ }`

			`if (rpz_get_zbits(client, dns_rdatatype_any,`
			`DNS_RPZ_TYPE_NSDNAME) == 0 &&`
			`--`
			`2.27.0`