From 2cc8874c90e1af5bdbac70434459eb5545dc4ca1 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 18 Oct 2022 13:48:52 -0700 Subject: [PATCH] ensure RPZ lookups handle CD=1 correctly RPZ rewrites called dns_db_findext() without passing through the client database options; as as result, if the client set CD=1, DNS_DBFIND_PENDINGOK was not used as it should have been, and cache lookups failed, resulting in failure of the rewrite. (cherry picked from commit 305a50dbe12a43b0ee429c2e9bee04f35a8047c4) --- lib/ns/query.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index 21ad1a34ce..35c3974d88 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -3645,7 +3645,7 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name, struct in_addr ina; struct in6_addr in6a; isc_result_t result; - unsigned int options = DNS_DBFIND_GLUEOK; + unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK; bool done = false; CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset"); @@ -3706,8 +3706,9 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name, * otherwise we are done. */ if (result == DNS_R_GLUE) { - options = 0; + options = client->query.dboptions; } else { + options = client->query.dboptions | DNS_DBFIND_GLUEOK; done = true; } @@ -4267,7 +4268,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, dns_fixedname_init(&nsnamef); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); - options = DNS_DBFIND_GLUEOK; + options = client->query.dboptions | DNS_DBFIND_GLUEOK; while (st->r.label > st->popt.min_ns_labels) { bool was_glue = false; /* @@ -4393,9 +4394,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, * glue responses, otherwise setup for the next name. */ if (was_glue) { - options = 0; + options = client->query.dboptions; } else { - options = DNS_DBFIND_GLUEOK; + options = client->query.dboptions | DNS_DBFIND_GLUEOK; st->r.label--; }