From 31dcd783665b83718f90e3baf09a6859a8a34a40 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 9 Jun 2011 03:14:04 +0000
Subject: [PATCH] 3126.   [security]      Using DNAME record to generate
 replacements caused                         RPZ to exit with a assertion
 failure. [RT #23766]

---
 CHANGES                       |  3 +++
 bin/named/query.c             | 11 ++++++++---
 bin/tests/system/rpz/test1    | 10 ++++++++--
 bin/tests/system/rpz/tests.sh |  7 +++++--
 doc/arm/Bv9ARM-book.xml       |  9 ++++++---
 5 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index a94b903e73..cc3ec51ba4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3126.	[security]	Using DNAME record to generate replacements caused
+			RPZ to exit with a assertion failure. [RT #23766]
+
 3125.	[security]	Using wildcard CNAME records as a replacement with
 			RPZ caused named to exit with a assertion failure.
 			[RT #24715]
diff --git a/bin/named/query.c b/bin/named/query.c
index 32f08d9488..46e94a8085 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.353.8.10 2011/06/09 00:53:55 marka Exp $ */
+/* $Id: query.c,v 1.353.8.11 2011/06/09 03:14:03 marka Exp $ */
 
 /*! \file */
 
@@ -4105,8 +4105,13 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 		}
 		break;
 	case DNS_R_DNAME:
-		policy = DNS_RPZ_POLICY_RECORD;
-		break;
+		/*
+		 * DNAME policy RRs have very few if any uses that are not
+		 * better served with simple wildcards.  Making the work would
+		 * require complications to get the number of labels matched
+		 * in the name or the found name itself to the main DNS_R_DNAME
+		 * case in query_find(). So fall through to treat them as NODATA.
+		 */
 	case DNS_R_NXRRSET:
 		policy = DNS_RPZ_POLICY_NODATA;
 		break;
diff --git a/bin/tests/system/rpz/test1 b/bin/tests/system/rpz/test1
index 373ea0f95f..9908b4676f 100644
--- a/bin/tests/system/rpz/test1
+++ b/bin/tests/system/rpz/test1
@@ -12,13 +12,19 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: test1,v 1.4 2011/01/13 19:30:41 each Exp $
+; $Id: test1,v 1.4.8.1 2011/06/09 03:14:04 marka Exp $
 
 
 server 10.53.0.3 5300
 
+; NXDOMAIN
 update add  a0-1.tld2.bl.	300 CNAME .
-update add  a3-1.tld2.bl.	300 CNAME *.
+
+; NODATA
+update add  a1-1.tld2.bl.	300 CNAME *.
+;	and no assert-botch
+update add  a1-2.tld2.bl.	300 DNAME example.com.
+
 update add  *.sub1.tld2.bl.	300 A 12.12.12.12
 
 send
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index a13faee983..fff920af7f 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.3.8.2 2011/06/09 00:53:55 marka Exp $
+# $Id: tests.sh,v 1.3.8.3 2011/06/09 03:14:04 marka Exp $
 
 # test response policy zones (RPZ)
 
@@ -152,7 +152,9 @@ status=0
 
 start_test "RPZ QNAME rewrites" test1
 nxdomain a0-1.tld2
-nodata a3-1.tld2
+nodata a1-1.tld2
+nodata a1-2.tld2
+nodata sub.a1-2.tld2
 a12 a4-1.sub1.tld2
 end_test
 
@@ -266,6 +268,7 @@ if [ $ret != 0 ]; then
 fi
 status=`expr $status + $ret`
 
+
 if test "$status" -eq 0; then
     rm -f dig.out*
 fi
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 14a6a3ccca..eecc1f2a2b 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.478.8.8 2011/05/23 20:56:11 each Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.478.8.9 2011/06/09 03:14:04 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -9239,8 +9239,8 @@ deny-answer-aliases { "example.net"; };
           <para>
             The rules encoded in a response policy zone (RPZ) are applied
             only to responses to queries that ask for recursion (RD=1).
-            RPZs are normal DNS zones containing largely valid RRsets
-            that can be queried normal if allowed.
+            RPZs are normal DNS zones containing RRsets
+            that can be queried normally if allowed.
             It is usually best to restrict those queries with something like
             <command>allow-query {none; };</command> or
             <command>allow-query { 127.0.0.1; };</command>.
@@ -9252,6 +9252,8 @@ deny-answer-aliases { "example.net"; };
             records resolved in the process of generating the response.
             The owner name of a QNAME rule is the query name relativized
             to the RPZ.
+	    The records in a rewrite rule are usually A, AAAA, or special
+	    CNAMEs, but can be any type except DNAME.
           </para>
 
           <para>
@@ -9351,6 +9353,7 @@ nodata.domain.com           CNAME   *.
 bad.domain.com              A       10.0.0.1
                             AAAA    2001:2::1
 ok.domain.com               CNAME   ok.domain.com.
+*.badzone.domain.com	    CNAME   garden.example.com.
 
 ; IP rules rewriting all answers for 127/8 except 127.0.0.1
 8.0.0.0.127.ip              CNAME   .