87 lines
2.7 KiB
Diff
87 lines
2.7 KiB
Diff
From 8f23d56fba79ca063e3deacca973d89b327ccaed Mon Sep 17 00:00:00 2001
|
|
From: Mark Andrews <marka@isc.org>
|
|
Date: Wed, 4 May 2022 17:08:27 +1000
|
|
Subject: [PATCH] Check the cache as well when glue NS are returned processing
|
|
RPZ
|
|
|
|
(cherry picked from commit 8fb72012e36961ff62a29d5f4599b3c41e48e7c9)
|
|
Conflict: adapt seg3 and FALLTHROUGH
|
|
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8f23d56fba79ca063e3deacca973d89b327ccaed
|
|
---
|
|
lib/ns/query.c | 28 ++++++++++++++++++++++------
|
|
1 file changed, 22 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
|
index f4547a5..5ba732f 100644
|
|
--- a/lib/ns/query.c
|
|
+++ b/lib/ns/query.c
|
|
@@ -3937,6 +3937,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
|
|
dns_rpz_have_t have;
|
|
dns_rpz_popt_t popt;
|
|
int rpz_ver;
|
|
+ unsigned int options;
|
|
#ifdef USE_DNSRPS
|
|
librpz_emsg_t emsg;
|
|
#endif /* ifdef USE_DNSRPS */
|
|
@@ -4187,7 +4188,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
|
|
|
|
dns_fixedname_init(&nsnamef);
|
|
dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
|
|
+ options = DNS_DBFIND_GLUEOK;
|
|
while (st->r.label > st->popt.min_ns_labels) {
|
|
+ bool was_glue = false;
|
|
/*
|
|
* Get NS rrset for each domain in the current qname.
|
|
*/
|
|
@@ -4202,7 +4205,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
|
|
!dns_rdataset_isassociated(st->r.ns_rdataset)) {
|
|
dns_db_t *db = NULL;
|
|
result = rpz_rrset_find(client, nsname,
|
|
- dns_rdatatype_ns,
|
|
+ dns_rdatatype_ns, options,
|
|
DNS_RPZ_TYPE_NSDNAME, &db, NULL,
|
|
&st->r.ns_rdataset, resuming);
|
|
if (db != NULL) {
|
|
@@ -4212,8 +4215,10 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
|
|
goto cleanup;
|
|
}
|
|
switch (result) {
|
|
- case ISC_R_SUCCESS:
|
|
case DNS_R_GLUE:
|
|
+ was_glue = true;
|
|
+ /* FALLTHROUGH */
|
|
+ case ISC_R_SUCCESS:
|
|
result = dns_rdataset_first(st->r.ns_rdataset);
|
|
if (result != ISC_R_SUCCESS) {
|
|
goto cleanup;
|
|
@@ -4252,6 +4257,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
|
|
continue;
|
|
}
|
|
}
|
|
+
|
|
/*
|
|
* Check all NS names.
|
|
*/
|
|
@@ -4302,7 +4308,17 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
|
|
result = dns_rdataset_next(st->r.ns_rdataset);
|
|
} while (result == ISC_R_SUCCESS);
|
|
dns_rdataset_disassociate(st->r.ns_rdataset);
|
|
- st->r.label--;
|
|
+
|
|
+ /*
|
|
+ * If we just checked a glue NS RRset retry without allowing
|
|
+ * glue responses, otherwise setup for the next name.
|
|
+ */
|
|
+ if (was_glue) {
|
|
+ options = 0;
|
|
+ } else {
|
|
+ options = DNS_DBFIND_GLUEOK;
|
|
+ st->r.label--;
|
|
+ }
|
|
|
|
if (rpz_get_zbits(client, dns_rdatatype_any,
|
|
DNS_RPZ_TYPE_NSDNAME) == 0 &&
|
|
--
|
|
2.27.0
|
|
|