From 76db58eb818dc4839fa816df6a1a1ecb2c7a6bd0 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 27 Apr 2011 17:46:47 +0000
Subject: [PATCH] 3100.	[security]	Certain response policy zone
 configurations could 			trigger an INSIST when receiving a
 query of type 			RRSIG. [RT #24280]

---
 CHANGES                          |  4 ++++
 bin/named/query.c                | 14 +++++++++----
 bin/tests/system/rpz/ns3/base.db |  6 +++++-
 bin/tests/system/rpz/tests.sh    | 34 +++++++++++++++++++++++++++++++-
 bin/tests/system/start.pl        | 29 +++++++++++++++++++--------
 5 files changed, 73 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index 80827bc672..51c58ae74a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3100.	[security]	Certain response policy zone configurations could
+			trigger an INSIST when receiving a query of type
+			RRSIG. [RT #24280]
+
 3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 			not compiled with --with-dlz-filesystem.  [RT #24146]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 79a30196e0..b749b15658 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.361 2011/04/19 22:30:52 each Exp $ */
+/* $Id: query.c,v 1.362 2011/04/27 17:46:46 each Exp $ */
 
 /*! \file */
 
@@ -4079,9 +4079,15 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 			if (dns_rdataset_isassociated(*rdatasetp))
 				dns_rdataset_disassociate(*rdatasetp);
 			dns_db_detachnode(*dbp, nodep);
-			result = dns_db_find(*dbp, qnamef, version, qtype, 0,
-					     client->now, nodep, found,
-					     *rdatasetp, NULL);
+
+			if (qtype == dns_rdatatype_rrsig ||
+			    qtype == dns_rdatatype_sig)
+				result = DNS_R_NXRRSET;
+			else 
+				result = dns_db_find(*dbp, qnamef, version,
+						     qtype, 0, client->now,
+						     nodep, found, *rdatasetp,
+						     NULL);
 		}
 	}
 	switch (result) {
diff --git a/bin/tests/system/rpz/ns3/base.db b/bin/tests/system/rpz/ns3/base.db
index f750399f7f..81402e1ec9 100644
--- a/bin/tests/system/rpz/ns3/base.db
+++ b/bin/tests/system/rpz/ns3/base.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: base.db,v 1.3 2011/01/13 04:59:25 tbox Exp $
+; $Id: base.db,v 1.4 2011/04/27 17:46:47 each Exp $
 
 ; RPZ test
 
@@ -29,3 +29,7 @@ $TTL	120
 128.zz.3333.4444.0.7777.8888.rpz-ip			CNAME	.
 128.zz.3333.4444.0.8777.8888.rpz-ip			CNAME	.
 127.zz.3333.4444.0.8777.8888.rpz-ip			CNAME	.
+
+; for testing rrset replacement
+redirect	IN      A       127.0.0.1
+*.redirect	IN      A       127.0.0.1
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index aeef0ce457..5688a6a135 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.3 2011/01/13 04:59:24 tbox Exp $
+# $Id: tests.sh,v 1.4 2011/04/27 17:46:47 each Exp $
 
 # test response policy zones (RPZ)
 
@@ -215,6 +215,38 @@ if grep CNAME $DIGNM >/dev/null; then : ; else
 fi
 end_test
 
+ret=0
+echo "I:checking RRSIG queries"
+# We don't actually care about the query results; the important
+# thing is the server handles RRSIG queries okay
+$DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo "I:failed";
+    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
+ret=0
+echo "I:checking SIG queries"
+# We don't actually care about the query results; the important
+# thing is the server handles SIG queries okay
+$DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo "I:failed";
+    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
 if test "$status" -eq 0; then
     rm -f dig.out*
 fi
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index 57dea3d824..d9a8c9080f 100644
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.19 2011/03/05 23:52:29 tbox Exp $
+# $Id: start.pl,v 1.20 2011/04/27 17:46:47 each Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
@@ -36,9 +36,10 @@ use Getopt::Long;
 #             NOTE: options must be specified with '-- "<option list>"',
 #              for instance: start.pl . ns1 -- "-c n.conf -d 43"
 
-my $usage = "usage: $0 [--noclean] test-directory [server-directory [server-options]]";
-my $noclean;
-GetOptions('noclean' => \$noclean);
+my $usage = "usage: $0 [--noclean] [--restart] test-directory [server-directory [server-options]]";
+my $noclean = '';
+my $restart = '';
+GetOptions('noclean' => \$noclean, 'restart' => \$restart);
 my $test = $ARGV[0];
 my $server = $ARGV[1];
 my $options = $ARGV[2];
@@ -139,7 +140,11 @@ sub start_server {
 				if (-e "$testdir/$server/named.noaa");
 			$command .= "-c named.conf -d 99 -g";
 		}
-		$command .= " >named.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>named.run 2>&1 &";
+		} else {
+			$command .= " >named.run 2>&1 &";
+		}
 		$pid_file = "named.pid";
 	} elsif ($server =~ /^lwresd/) {
 		$cleanup_files = "{lwresd.run}";
@@ -152,7 +157,11 @@ sub start_server {
 			$command .= "-C resolv.conf -d 99 -g ";
 			$command .= "-i lwresd.pid -P 9210 -p 5300";
 		}
-		$command .= " >lwresd.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>lwresd.run 2>&1 &";
+		} else {
+			$command .= " >lwresd.run 2>&1 &";
+		}
 		$pid_file = "lwresd.pid";
 	} elsif ($server =~ /^ans/) {
 		$cleanup_files = "{ans.run}";
@@ -166,7 +175,11 @@ sub start_server {
 		} else {
 			$command .= "";
 		}
-		$command .= " >ans.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>ans.run 2>&1 &";
+		} else {
+			$command .= " >ans.run 2>&1 &";
+		}
 		$pid_file = "ans.pid";
 	} else {
 		print "I:Unknown server type $server\n";
@@ -206,8 +219,8 @@ sub verify_server {
 	while (1) {
 		my $return = system("$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 version.bind. chaos txt \@10.53.0.$n > dig.out");
 		last if ($return == 0);
-		print `grep ";" dig.out`;
 		if (++$tries >= 30) {
+			print `grep ";" dig.out > /dev/null`;
 			print "I:no response from $server\n";
 			print "R:FAIL\n";
 			system("$PERL $topdir/stop.pl $testdir");