From ed559646e63451d58a12831f4563e8b3c7e0ddcaab0af0768814c399e1c5fc0e Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Fri, 1 Aug 2014 11:43:42 +0000 Subject: [PATCH] Accepting request 243329 from home:lmuelle:branches:network MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Package dnssec-checkds and dnssec-coverage binaries and man pages only on post-11.1 systems. - Update to version 9.9.5P1 Various bugfixes and some feature fixes. (see CHANGES files) Security and maintenance issues: - [bug] Don't call qsort with a null pointer. [RT #35968] - [bug] Disable GCC 4.9 "delete null pointer check". [RT #35968] - [port] linux: libcap support: declare curval at start of block. [RT #35387] - Update to version 9.9.5 Various bugfixes and some feature fixes. (see CHANGES files) - Updated to current rpz patch from·http://ss.vix.su/~vjs/rrlrpz.html - rpz2-9.9.4.patch + rpz2+rl-9.9.5.patch OBS-URL: https://build.opensuse.org/request/show/243329 OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=144 --- Makefile.in.diff | 2 +- bind-9.9.4-P2.tar.gz | 3 - bind-9.9.4-P2.tar.gz.asc | 11 - bind-9.9.5-P1.tar.gz | 3 + bind-9.9.5-P1.tar.gz.asc | 11 + bind-sdb-ldap.patch | 4 +- bind.changes | 126 ++++++ bind.spec | 15 +- configure.in.diff | 2 +- named-bootconf.diff | 4 +- pid-path.diff | 2 +- pie_compile.diff | 2 +- rpz2-9.9.4.patch => rpz2+rl-9.9.5.patch | 490 ++++++++++-------------- 13 files changed, 355 insertions(+), 320 deletions(-) delete mode 100644 bind-9.9.4-P2.tar.gz delete mode 100644 bind-9.9.4-P2.tar.gz.asc create mode 100644 bind-9.9.5-P1.tar.gz create mode 100644 bind-9.9.5-P1.tar.gz.asc rename rpz2-9.9.4.patch => rpz2+rl-9.9.5.patch (95%) diff --git a/Makefile.in.diff b/Makefile.in.diff index f99f64a..95eda63 100644 --- a/Makefile.in.diff +++ b/Makefile.in.diff @@ -2,7 +2,7 @@ Index: bind-9.9.3-P1/bin/named/Makefile.in =================================================================== --- bind-9.9.3-P1.orig/bin/named/Makefile.in +++ bind-9.9.3-P1/bin/named/Makefile.in -@@ -175,9 +175,7 @@ installdirs: +@@ -176,9 +176,7 @@ installdirs: install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) diff --git a/bind-9.9.4-P2.tar.gz b/bind-9.9.4-P2.tar.gz deleted file mode 100644 index da07c8c..0000000 --- a/bind-9.9.4-P2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:50f3c6431e26d3f322b69092a49c92e163e73029fe4a1933ce532dc97ec40a89 -size 7513077 diff --git a/bind-9.9.4-P2.tar.gz.asc b/bind-9.9.4-P2.tar.gz.asc deleted file mode 100644 index bd3de92..0000000 --- a/bind-9.9.4-P2.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.12 (NetBSD) - -iQEcBAABAgAGBQJSxzKdAAoJEEWseFcYnNvFBRMH+QE4AkJ4CoZPcO0PcE6+2AFA -BEXCJJSyMfZr3R0Wblb+lhWehnnWpxqV8FCwM9gecFXn0J44aJ+U8nh3WA8ROAas -5NfXjll34YDDo8UU9wGZ7XmPpzUnn6DoncVz1BeV1VwqLIADv6WkoSx0HasYQ4Vf -bHwGJI1cFCLDpy8XhjLAb4iUkdE9NSmvJ+6OZJ0ZtgYymnnNWI2YvHn95DM3DQbS -lURMaiqiwNmhuk4Q4qzoAPrbpEqRG/PmFxRiZWk9irPhBsSoJKU/wbOFyTD+iJAv -+pugh+S9lXkqR5bWLKzR8rpW4ydV9KVuxo6jW4dT4kR7QbU+zdMC6CAW/99duqQ= -=F/NG ------END PGP SIGNATURE----- diff --git a/bind-9.9.5-P1.tar.gz b/bind-9.9.5-P1.tar.gz new file mode 100644 index 0000000..2439739 --- /dev/null +++ b/bind-9.9.5-P1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a41f7813f3a6eb0dcae961651ec93896fd82074929bc6c1d8c90b04a2417b850 +size 7730150 diff --git a/bind-9.9.5-P1.tar.gz.asc b/bind-9.9.5-P1.tar.gz.asc new file mode 100644 index 0000000..6166b6a --- /dev/null +++ b/bind-9.9.5-P1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (NetBSD) + +iQEcBAABAgAGBQJTldadAAoJEEWseFcYnNvFsLAH/iepQdJvNgfZ5inZ//Kp8QeO +5dv6f7a6UvfHZiD5wh8p9MCiIKVgxdeVV5HsSOsu8UpnzXRsmC2aH3etdxhlIsqu +QTGfJzLiIY1Y+/xnSqUXHfKdJ4aCsHQqXiGqFi8oAW26DIQgjHDRfLhYkEWBeXss +KjhCiI0FDjxvEqQ3orFWwUBV6RfHyIwTL186R/57r9xTtzJZFapvXMvV4TJjYAvU +8UqPwP36mD7sdQEjg6PCOnrDtCheHLwF1q5m3a1rsuKmV3W3a2BZvTA2mW1xdrHb +oo0Vbvt6GfzmFJHhs2G2VEj4405ALOmqLGejxs7pSbcZ1yyPlU/L/pcn+s1iB/Q= +=zuFR +-----END PGP SIGNATURE----- diff --git a/bind-sdb-ldap.patch b/bind-sdb-ldap.patch index 82adb28..f225ca5 100644 --- a/bind-sdb-ldap.patch +++ b/bind-sdb-ldap.patch @@ -27,7 +27,7 @@ Index: bin/named/main.c #ifdef CONTRIB_DLZ /* -@@ -904,6 +905,7 @@ +@@ -922,6 +923,7 @@ * Add calls to register sdb drivers here. */ /* xxdb_init(); */ @@ -35,7 +35,7 @@ Index: bin/named/main.c #ifdef ISC_DLZ_DLOPEN /* -@@ -940,6 +942,7 @@ +@@ -958,6 +960,7 @@ * Add calls to unregister sdb drivers here. */ /* xxdb_clear(); */ diff --git a/bind.changes b/bind.changes index 0a47302..c9a4634 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,129 @@ +------------------------------------------------------------------- +Thu Jul 31 21:40:49 UTC 2014 - lmuelle@suse.com + +- Package dnssec-checkds and dnssec-coverage binaries and man pages only on + post-11.1 systems. + +------------------------------------------------------------------- +Thu Jul 31 17:20:38 UTC 2014 - lmuelle@suse.com + +- Update to version 9.9.5P1 + Various bugfixes and some feature fixes. (see CHANGES files) + Security and maintenance issues: + + - [bug] Don't call qsort with a null pointer. [RT #35968] + - [bug] Disable GCC 4.9 "delete null pointer check". [RT #35968] + - [port] linux: libcap support: declare curval at start of block. [RT #35387] + +- Update to version 9.9.5 + - [bug] Address double dns_zone_detach when switching to using automatic + empty zones from regular zones. [RT #35177] + - [port] Use built-in versions of strptime() and timegm() on all platforms + to avoid portability issues. [RT #35183] + - [bug] Address a portentry locking issue in dispatch.c. [RT #35128] + - [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND on a missing + resolv.conf file and initializes the structure as if it had been + configured with nameserver ::1 nameserver 127.0.0.1 [RT #35194] + - [contrib] queryperf: Fixed a possible integer overflow when printing + results. [RT #35182] + - [protocol] Accept integer timestamps in RRSIG records. [RT #35185] + - [func] named-checkconf can now obscure shared secrets when printing by + specifying '-x'. [RT #34465] + - [bug] Improvements to statistics channel XSL stylesheet: the stylesheet can + now be cached by the browser; section headers are omitted from the stats + display when there is no data in those sections to be displayed; counters + are now right-justified for easier readability. (Only available with + configure --enable-newstats.) [RT #35117] + - [cleanup] Replaced all uses of memcpy() with memmove(). [RT #35120] + - [bug] Handle "." as a search list element when IDN support is enabled. + [RT #35133] + - [bug] dig failed to handle AXFR style IXFR responses which span multiple + messages. [RT #35137] + - [bug] Address a possible race in dispatch.c. [RT #35107] + - [bug] Warn when a key-directory is configured for a zone, but does not + exist or is not a directory. [RT #35108] + - [security] memcpy was incorrectly called with overlapping ranges resulting + in malformed names being generated on some platforms. This could cause + INSIST failures when serving NSEC3 signed zones (CVE-2014-0591). + [RT #35120] + - [bug] Two calls to dns_db_getoriginnode were fatal if there was no data at + the node. [RT #35080] + - [bug] Iterative responses could be missed when the source port for an + upstream query was the same as the listener port (53). [RT #34925] + - [bug] Fixed a bug causing an insecure delegation from one static-stub zone + to another to fail with a broken trust chain. [RT #35081] + - [bug] loadnode could return a freed node on out of memory. [RT #35106] + - [bug] Address null pointer dereference in zone_xfrdone. [RT #35042] + - [func] "dnssec-signzone -Q" drops signatures from keys that are still + published but no longer active. [RT #34990] + - [bug] "rndc refresh" didn't work correctly with slave zones usingi + inline-signing. [RT #35105] + - [cleanup] Add a more detailed "not found" message to rndc commands which + specify a zone name. [RT #35059] + - [bug] Correct the behavior of rndc retransfer to allow inline-signing slave + zones to retain NSEC3 parameters instead of reverting to NSEC. [RT #34745] + - [port] Update the Windows build system to support feature selection and + WIN64 builds. This is a work in progress. [RT #34160] + - [bug] dig could fail to clean up TCP sockets still waiting on connect(). + [RT #35074] + - [port] Update config.guess and config.sub. [RT #35060] + - [bug] 'nsupdate' leaked memory if 'realm' was used multiple times. + [RT #35073] + - [bug] "named-checkconf -z" now checks zones of type hint and redirect as + well as master. [RT #35046] + - [misc] Provide a place for third parties to add version information for + their extensions in the version file by setting the EXTENSIONS variable. + - [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026] + - [func] Local address can now be specified when using dns_client API. + [RT #34811] + - [bug] Don't allow dnssec-importkey overwrite a existing non-imported + private key. + - [bug] Address read after free in server side of lwres_getrrsetbyname. + [RT #29075] + - [bug] Fix cast in lex.c which could see 0xff treated as eof. [RT #34993] + - [bug] Failure to release lock on error in receive_secure_db. [RT #34944] + - [bug] Updated OpenSSL PKCS#11 patches to fix active list locking and other + bugs. [RT #34855] + - [bug] Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for WKS + and ISDN types. [RT #34910] + - [bug] 'host' could die if a UDP query timed out. [RT #34870] + - [bug] Address lock order reversal deadlock with inline zones. [RT #34856] + - [cleanup] Changed the name of "isc-config.sh" to "bind9-config". + [RT #23825] + - [port] linux: Address platform specific compilation issue when libcap-devel + is installed. [RT #34838] + - [port] Some readline clones don't accept NULL pointers when calling + add_history. [RT #34842] + - [cleanup] Simplify TCP message processing when requesting a zone transfer. + [RT #34825] + - [bug] Address race condition with manual notify requests. [RT #34806] + - [func] Create delegations for all "children" of empty zones except + "forward first". [RT #34826] + - [tuning] Adjust when a master server is deemed unreachable. [RT #27075] + - [tuning] Use separate rate limiting queues for refresh and notify + requests. [RT #30589] + - [cleanup] Include a comment in .nzf files, giving the name of the + associated view. [RT #34765] + - [bug] Address a race condition when shutting down a zone. [RT #34750] + - [bug] Journal filename string could be set incorrectly, causing garbage in + log messages. [RT #34738] + - [protocol] Use case sensitive compression when responding to queries. + [RT #34737] + - [protocol] Check that EDNS subnet client options are well formed. + [RT #34718] + - [func] Allow externally generated DNSKEY to be imported into the DNSKEY + management framework. A new tool dnssec-importkey is used to do this. + [RT #34698] + - [bug] Handle changes to sig-validity-interval settings better. [RT #34625] + - [bug] ndots was not being checked when searching. Only continue searching + on NXDOMAIN responses. Add the ability to specify ndots to nslookup. + [RT #34711] + - [bug] Treat type 65533 (KEYDATA) as opaque except when used in a key zone. + [RT #34238] +- Updated to current rpz patch from·http://ss.vix.su/~vjs/rrlrpz.html + - rpz2-9.9.4.patch + + rpz2+rl-9.9.5.patch + ------------------------------------------------------------------- Sun Jun 1 13:30:10 UTC 2014 - chris@computersalat.de diff --git a/bind.spec b/bind.spec index 0c9585a..463ace4 100644 --- a/bind.spec +++ b/bind.spec @@ -18,7 +18,7 @@ Name: bind %define pkg_name bind -%define pkg_vers 9.9.4-P2 +%define pkg_vers 9.9.5-P1 BuildRequires: krb5-devel BuildRequires: libcap BuildRequires: libcap-devel @@ -33,7 +33,7 @@ BuildRequires: update-desktop-files Summary: Domain Name System (DNS) Server (named) License: ISC Group: Productivity/Networking/DNS/Servers -Version: 9.9.4P2 +Version: 9.9.5P1 Release: 0 Provides: bind8 Provides: bind9 @@ -66,8 +66,8 @@ BuildRequires: gpg-offline # Rate limiting patch by Paul Vixie et.al. for reflection DoS protection # see http://www.redbarn.org/dns/ratelimits -#Patch200: http://ss.vix.su/~vjs/rpz2-9.9.4.patch -Patch200: rpz2-9.9.4.patch +#Patch200: http://ss.vix.su/~vjs/rpz2+rl-9.9.5.patch +Patch200: rpz2+rl-9.9.5.patch Source60: dlz-schema.txt %if %ul_version >= 1 @@ -589,11 +589,13 @@ fi %attr(0644,root,named) %ghost /%{_sysconfdir}/named.conf.include %attr(0640,root,named) %ghost %config(noreplace) /%{_sysconfdir}/rndc.key %config /%{_sysconfdir}/init.d/named +%{_bindir}/bind9-config %{_sbindir}/rcnamed %{_sbindir}/named %{_sbindir}/named-checkconf %{_sbindir}/named-checkzone %{_sbindir}/named-compilezone +%doc %{_mandir}/man1/bind9-config.1.gz %doc %{_mandir}/man5/named.conf.5.gz %doc %{_mandir}/man8/named-checkconf.8.gz %doc %{_mandir}/man8/named-checkzone.8.gz @@ -688,9 +690,12 @@ fi %{_bindir}/runidn %{_sbindir}/arpaname %{_sbindir}/ddns-confgen +%if 0%{?suse_version} > 1110 %{_sbindir}/dnssec-checkds %{_sbindir}/dnssec-coverage +%endif %{_sbindir}/dnssec-dsfromkey +%{_sbindir}/dnssec-importkey %{_sbindir}/dnssec-keyfromlabel %{_sbindir}/dnssec-keygen %{_sbindir}/dnssec-revoke @@ -715,8 +720,10 @@ fi %doc %{_mandir}/man1/nsupdate.1.gz %doc %{_mandir}/man5/rndc.conf.5.gz %doc %{_mandir}/man8/ddns-confgen.8.gz +%if 0%{?suse_version} > 1110 %doc %{_mandir}/man8/dnssec-checkds.8.gz %doc %{_mandir}/man8/dnssec-coverage.8.gz +%endif %doc %{_mandir}/man8/dnssec-dsfromkey.8.gz %doc %{_mandir}/man8/dnssec-keyfromlabel.8.gz %doc %{_mandir}/man8/dnssec-keygen.8.gz diff --git a/configure.in.diff b/configure.in.diff index a970833..baedcd2 100644 --- a/configure.in.diff +++ b/configure.in.diff @@ -2,7 +2,7 @@ Index: bind-9.9.4-P2/configure.in =================================================================== --- bind-9.9.4-P2.orig/configure.in 2013-12-20 01:28:28.000000000 +0100 +++ bind-9.9.4-P2/configure.in 2014-01-21 17:55:51.063395215 +0100 -@@ -3142,7 +3142,7 @@ +@@ -3172,7 +3172,7 @@ # empty). The variable VARIABLE will be substituted into output files. # diff --git a/named-bootconf.diff b/named-bootconf.diff index fc18c23..e958144 100644 --- a/named-bootconf.diff +++ b/named-bootconf.diff @@ -2,7 +2,7 @@ Index: contrib/named-bootconf/named-bootconf.sh =================================================================== --- contrib/named-bootconf/named-bootconf.sh.orig +++ contrib/named-bootconf/named-bootconf.sh -@@ -54,7 +54,8 @@ +@@ -47,7 +47,8 @@ # POSSIBILITY OF SUCH DAMAGE. if [ ${OPTIONFILE-X} = X ]; then @@ -12,7 +12,7 @@ Index: contrib/named-bootconf/named-bootconf.sh ( umask 077 ; mkdir $WORKDIR ) || { echo "unable to create work directory '$WORKDIR'" >&2 exit 1 -@@ -308,7 +309,7 @@ if [ $DUMP -eq 1 ]; then +@@ -301,7 +302,7 @@ if [ $DUMP -eq 1 ]; then cat $ZONEFILE $COMMENTFILE rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE diff --git a/pid-path.diff b/pid-path.diff index 1009de6..4d55ad3 100644 --- a/pid-path.diff +++ b/pid-path.diff @@ -2,7 +2,7 @@ Index: bin/named/include/named/globals.h =================================================================== --- bin/named/include/named/globals.h.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/named/include/named/globals.h 2013-08-05 14:14:28.152275375 +0200 -@@ -139,9 +139,9 @@ +@@ -140,9 +140,9 @@ "lwresd.pid"); #else EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR diff --git a/pie_compile.diff b/pie_compile.diff index 71a2d1a..854a844 100644 --- a/pie_compile.diff +++ b/pie_compile.diff @@ -124,7 +124,7 @@ Index: bin/nsupdate/Makefile.in =================================================================== --- bin/nsupdate/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200 +++ bin/nsupdate/Makefile.in 2013-08-06 12:08:19.493457729 +0200 -@@ -66,8 +66,12 @@ +@@ -68,8 +68,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} diff --git a/rpz2-9.9.4.patch b/rpz2+rl-9.9.5.patch similarity index 95% rename from rpz2-9.9.4.patch rename to rpz2+rl-9.9.5.patch index 6726bf4..c6f3fa7 100644 --- a/rpz2-9.9.4.patch +++ b/rpz2+rl-9.9.5.patch @@ -1,7 +1,6 @@ -Index: bin/named/query.c -=================================================================== ---- bin/named/query.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/named/query.c 2014-01-21 17:56:13.516661510 +0100 +diff -r -u bin/named/query.c-orig bin/named/query.c +--- bin/named/query.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/named/query.c 2004-01-01 00:00:00.000000000 +0000 @@ -879,11 +879,11 @@ static void rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled, @@ -829,6 +828,8 @@ Index: bin/named/query.c - result = dns_name_concatenate(prefix, suffix, - rpz_qname, NULL); - if (result == ISC_R_SUCCESS) +- break; +- INSIST(result == DNS_R_NAMETOOLONG); + dns_fixedname_init(&p_namef); + p_name = dns_fixedname_name(&p_namef); + result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name); @@ -840,12 +841,24 @@ Index: bin/named/query.c + p_rdatasetp, &policy); + switch (result) { + case DNS_R_NXDOMAIN: -+ /* + /* +- * Trim the name until it is not too long. + * Continue after a policy record that is missing + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. -+ */ + */ +- labels = dns_name_countlabels(prefix); +- if (labels < 2) { +- rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, +- rpz_type, suffix, +- "concatentate() ", result); +- return (ISC_R_SUCCESS); +- } +- if (labels+1 == dns_name_countlabels(qname)) { +- rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, +- rpz_type, suffix, +- "concatentate() ", result); + continue; + case DNS_R_SERVFAIL: + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); @@ -875,26 +888,13 @@ Index: bin/named/query.c + (st->m.type == rpz_type && + st->m.prefix == prefix && + 0 > dns_name_rdatacompare(st->p_name, p_name))) - break; -- INSIST(result == DNS_R_NAMETOOLONG); ++ break; + - /* -- * Trim the name until it is not too long. ++ /* + * Stop checking after saving an enabled hit in this + * policy zone. The radix tree in the policy zone + * ensures that we found the longest match. - */ -- labels = dns_name_countlabels(prefix); -- if (labels < 2) { -- rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, -- rpz_type, suffix, -- "concatentate() ", result); -- return (ISC_R_SUCCESS); -- } -- if (labels+1 == dns_name_countlabels(qname)) { -- rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, -- rpz_type, suffix, -- "concatentate() ", result); ++ */ + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + rpz_save_p(st, rpz, rpz_type, + policy, p_name, prefix, result, @@ -1296,8 +1296,8 @@ Index: bin/named/query.c isc_result_t result; st = client->query.rpz_st; -@@ -4603,10 +4889,10 @@ - st->m.policy = DNS_RPZ_POLICY_MISS; +@@ -4604,10 +4890,10 @@ + st->m.ttl = ~0; memset(&st->r, 0, sizeof(st->r)); memset(&st->q, 0, sizeof(st->q)); - dns_fixedname_init(&st->_qnamef); @@ -1309,7 +1309,7 @@ Index: bin/named/query.c st->r_name = dns_fixedname_name(&st->_r_namef); st->fname = dns_fixedname_name(&st->_fnamef); client->query.rpz_st = st; -@@ -4619,7 +4905,7 @@ +@@ -4620,7 +4906,7 @@ case ISC_R_SUCCESS: case DNS_R_GLUE: case DNS_R_ZONECUT: @@ -1318,7 +1318,7 @@ Index: bin/named/query.c break; case DNS_R_EMPTYNAME: case DNS_R_NXRRSET: -@@ -4629,73 +4915,155 @@ +@@ -4630,73 +4916,155 @@ case DNS_R_NCACHENXRRSET: case DNS_R_CNAME: case DNS_R_DNAME: @@ -1425,10 +1425,12 @@ Index: bin/named/query.c + st->r.label = dns_name_countlabels(client->query.qname); + st->state &= ~(DNS_RPZ_DONE_QNAME_IP | + DNS_RPZ_DONE_IPv4); -+ -+ } - st->r.label = dns_name_countlabels(client->query.qname); ++ } + +- st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4); +- st->state |= DNS_RPZ_DONE_QNAME; + /* + * Quit if this was an attempt to find a qname or + * client-IP trigger before recursion. @@ -1443,9 +1445,7 @@ Index: bin/named/query.c + */ + if (qresult_type == 2) + goto cleanup; - -- st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4); -- st->state |= DNS_RPZ_DONE_QNAME; ++ + /* + * DNS_RPZ_DONE_QNAME but not DNS_RPZ_DONE_CLIENT_IP + * is reset at the end of dealing with each CNAME. @@ -1505,7 +1505,7 @@ Index: bin/named/query.c /* * Get NS rrset for each domain in the current qname. */ -@@ -4709,8 +5077,8 @@ +@@ -4710,8 +5078,8 @@ if (st->r.ns_rdataset == NULL || !dns_rdataset_isassociated(st->r.ns_rdataset)) { dns_db_t *db = NULL; @@ -1516,7 +1516,7 @@ Index: bin/named/query.c &db, NULL, &st->r.ns_rdataset, resuming); if (db != NULL) -@@ -4744,12 +5112,12 @@ +@@ -4745,12 +5113,12 @@ case ISC_R_FAILURE: rpz_rewrite_ns_skip(client, nsname, result, DNS_RPZ_DEBUG_LEVEL3, @@ -1531,7 +1531,7 @@ Index: bin/named/query.c continue; } } -@@ -4765,8 +5133,8 @@ +@@ -4766,8 +5134,8 @@ dns_rdata_reset(&nsrdata); if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, @@ -1542,7 +1542,7 @@ Index: bin/named/query.c st->m.policy = DNS_RPZ_POLICY_ERROR; goto cleanup; } -@@ -4782,11 +5150,11 @@ +@@ -4783,11 +5151,11 @@ * Check this NS name if we did not handle it * during a previous recursion. */ @@ -1558,7 +1558,7 @@ Index: bin/named/query.c &rdataset); if (result != ISC_R_SUCCESS) { dns_rdata_freestruct(&ns); -@@ -4797,9 +5165,9 @@ +@@ -4798,9 +5166,9 @@ /* * Check all IP addresses for this NS name. */ @@ -1571,7 +1571,7 @@ Index: bin/named/query.c dns_rdata_freestruct(&ns); if (result != ISC_R_SUCCESS) goto cleanup; -@@ -4809,10 +5177,16 @@ +@@ -4810,10 +5178,16 @@ } while (result == ISC_R_SUCCESS); dns_rdataset_disassociate(st->r.ns_rdataset); st->r.label--; @@ -1589,7 +1589,7 @@ Index: bin/named/query.c */ result = ISC_R_SUCCESS; -@@ -4827,7 +5201,7 @@ +@@ -4828,7 +5202,7 @@ if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && result != DNS_R_DELEGATION) rpz_log_rewrite(client, ISC_FALSE, st->m.policy, @@ -1598,7 +1598,7 @@ Index: bin/named/query.c rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { -@@ -4846,19 +5220,25 @@ +@@ -4847,19 +5221,25 @@ * by the client in DNSSEC or a lack of signatures. */ static isc_boolean_t @@ -1627,7 +1627,7 @@ Index: bin/named/query.c if (sigrdataset == NULL) return (ISC_TRUE); if (dns_rdataset_isassociated(sigrdataset)) -@@ -4938,7 +5318,7 @@ +@@ -4939,7 +5319,7 @@ if (result != ISC_R_SUCCESS) return (result); rpz_log_rewrite(client, ISC_FALSE, st->m.policy, @@ -1636,7 +1636,7 @@ Index: bin/named/query.c ns_client_qnamereplace(client, fname); /* * Turn off DNSSEC because the results of a -@@ -5997,13 +6377,15 @@ +@@ -5998,13 +6378,15 @@ } #endif /* USE_RRL */ @@ -1655,7 +1655,7 @@ Index: bin/named/query.c isc_result_t rresult; rresult = rpz_rewrite(client, qtype, result, resuming); -@@ -6041,12 +6423,17 @@ +@@ -6042,12 +6424,17 @@ rpz_st->state |= DNS_RPZ_REWRITTEN; if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS && rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU && @@ -1678,7 +1678,7 @@ Index: bin/named/query.c rpz_clean(&zone, &db, &node, NULL); if (rpz_st->m.rdataset != NULL) { query_putrdataset(client, &rdataset); -@@ -6066,6 +6453,27 @@ +@@ -6067,6 +6454,27 @@ rpz_st->m.zone = NULL; switch (rpz_st->m.policy) { @@ -1706,7 +1706,7 @@ Index: bin/named/query.c case DNS_RPZ_POLICY_NXDOMAIN: result = DNS_R_NXDOMAIN; break; -@@ -6078,8 +6486,8 @@ +@@ -6079,8 +6487,8 @@ result != DNS_R_CNAME) { /* * We will add all of the rdatasets of @@ -1717,7 +1717,7 @@ Index: bin/named/query.c */ if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); -@@ -6134,7 +6542,7 @@ +@@ -6135,7 +6543,7 @@ rpz_st->q.is_zone = is_zone; is_zone = ISC_TRUE; rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy, @@ -1726,10 +1726,9 @@ Index: bin/named/query.c } } -Index: bin/named/server.c -=================================================================== ---- bin/named/server.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/named/server.c 2014-01-21 17:56:13.518661534 +0100 +diff -r -u bin/named/server.c-orig bin/named/server.c +--- bin/named/server.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/named/server.c 2004-01-01 00:00:00.000000000 +0000 @@ -375,7 +375,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, @@ -1740,7 +1739,7 @@ Index: bin/named/server.c static isc_result_t add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx); -@@ -1551,17 +1552,24 @@ +@@ -1556,17 +1557,24 @@ } static isc_result_t @@ -1769,7 +1768,7 @@ Index: bin/named/server.c if (new == NULL) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "no memory for response policy zones"); -@@ -1569,20 +1577,29 @@ +@@ -1574,20 +1582,29 @@ } memset(new, 0, sizeof(*new)); @@ -1805,7 +1804,7 @@ Index: bin/named/server.c obj = cfg_tuple_get(rpz_obj, "max-policy-ttl"); if (cfg_obj_isuint32(obj)) { -@@ -1590,6 +1607,8 @@ +@@ -1595,6 +1612,8 @@ } else { new->max_policy_ttl = ttl_def; } @@ -1814,7 +1813,7 @@ Index: bin/named/server.c str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name")); result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone"); -@@ -1600,25 +1619,50 @@ +@@ -1605,25 +1624,50 @@ "invalid zone name '%s'", str); return (DNS_R_EMPTYLABEL); } @@ -1871,7 +1870,7 @@ Index: bin/named/server.c if (result != ISC_R_SUCCESS) return (result); -@@ -1637,6 +1681,116 @@ +@@ -1642,6 +1686,116 @@ return (result); } } @@ -1988,7 +1987,7 @@ Index: bin/named/server.c return (ISC_R_SUCCESS); } -@@ -2096,7 +2250,7 @@ +@@ -2109,7 +2263,7 @@ dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL; unsigned int query_timeout, ndisp; struct cfg_context *nzctx; @@ -1997,7 +1996,7 @@ Index: bin/named/server.c REQUIRE(DNS_VIEW_VALID(view)); -@@ -2194,44 +2348,7 @@ +@@ -2207,44 +2361,7 @@ obj = NULL; if (view->rdclass == dns_rdataclass_in && need_hints && ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { @@ -2043,7 +2042,7 @@ Index: bin/named/server.c } /* -@@ -2252,22 +2369,29 @@ +@@ -2265,22 +2382,29 @@ { const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, @@ -2086,7 +2085,7 @@ Index: bin/named/server.c } } -@@ -2293,7 +2417,7 @@ +@@ -2306,7 +2430,7 @@ const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, actx, @@ -2095,7 +2094,7 @@ Index: bin/named/server.c } } -@@ -3737,7 +3861,8 @@ +@@ -3750,7 +3874,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, @@ -2105,7 +2104,7 @@ Index: bin/named/server.c { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ -@@ -3758,8 +3883,7 @@ +@@ -3771,8 +3896,7 @@ const char *zname; dns_rdataclass_t zclass; const char *ztypestr; @@ -2115,7 +2114,7 @@ Index: bin/named/server.c options = NULL; (void)cfg_map_get(config, "options", &options); -@@ -3921,18 +4045,15 @@ +@@ -3934,18 +4058,15 @@ INSIST(dupzone == NULL); /* @@ -2140,7 +2139,7 @@ Index: bin/named/server.c } /* -@@ -3943,7 +4064,9 @@ +@@ -3956,7 +4077,9 @@ * - The zone is compatible with the config * options (e.g., an existing master zone cannot * be reused if the options specify a slave zone) @@ -2151,7 +2150,7 @@ Index: bin/named/server.c */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, &pview); -@@ -3957,7 +4080,8 @@ +@@ -3970,7 +4093,8 @@ if (zone != NULL && !ns_zone_reusable(zone, zconfig)) dns_zone_detach(&zone); @@ -2161,7 +2160,7 @@ Index: bin/named/server.c dns_zone_detach(&zone); if (zone != NULL) { -@@ -3982,8 +4106,8 @@ +@@ -3995,8 +4119,8 @@ dns_zone_setstats(zone, ns_g_server->zonestats); } @@ -2172,7 +2171,7 @@ Index: bin/named/server.c if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, -@@ -8219,7 +8343,8 @@ +@@ -8286,7 +8410,8 @@ RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_view_thaw(view); result = configure_zone(cfg->config, parms, vconfig, @@ -2182,10 +2181,9 @@ Index: bin/named/server.c dns_view_freeze(view); isc_task_endexclusive(server->task); if (result != ISC_R_SUCCESS) -Index: bin/tests/system/rpz/Makefile -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bin/tests/system/rpz/Makefile 2014-01-21 17:56:13.519661546 +0100 +diff -r -u bin/tests/system/rpz/Makefile-orig bin/tests/system/rpz/Makefile +--- bin/tests/system/rpz/Makefile-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/Makefile 2004-01-01 00:00:00.000000000 +0000 @@ -0,0 +1,478 @@ +# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") +# @@ -2665,10 +2663,9 @@ Index: bin/tests/system/rpz/Makefile + /usr/include/stdio.h /usr/include/string.h /usr/include/strings.h + +# IF YOU PUT ANYTHING HERE IT WILL GO AWAY -Index: bin/tests/system/rpz/clean.sh -=================================================================== ---- bin/tests/system/rpz/clean.sh.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/clean.sh 2014-01-21 17:56:13.519661546 +0100 +diff -r -u bin/tests/system/rpz/clean.sh-orig bin/tests/system/rpz/clean.sh +--- bin/tests/system/rpz/clean.sh-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/clean.sh 2004-01-01 00:00:00.000000000 +0000 @@ -19,7 +19,7 @@ # Clean up after rpz tests. @@ -2678,10 +2675,9 @@ Index: bin/tests/system/rpz/clean.sh rm -f ns3/bl*.db ns*/*switch ns5/requests ns5/example.db ns5/bl.db ns5/*.perf rm -f */named.memstats */named.run */named.stats */session.key rm -f */*.jnl */*.core */*.pid -Index: bin/tests/system/rpz/ns1/root.db -=================================================================== ---- bin/tests/system/rpz/ns1/root.db.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/ns1/root.db 2014-01-21 17:56:13.519661546 +0100 +diff -r -u bin/tests/system/rpz/ns1/root.db-orig bin/tests/system/rpz/ns1/root.db +--- bin/tests/system/rpz/ns1/root.db-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns1/root.db 2004-01-01 00:00:00.000000000 +0000 @@ -38,3 +38,6 @@ ; performance test tld5. NS ns.tld5. @@ -2689,10 +2685,9 @@ Index: bin/tests/system/rpz/ns1/root.db + +; generate SERVFAIL +servfail NS ns.tld2. -Index: bin/tests/system/rpz/ns2/bl.tld2.db -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bin/tests/system/rpz/ns2/bl.tld2.db 2014-01-21 17:56:13.519661546 +0100 +diff -r -u bin/tests/system/rpz/ns2/bl.tld2.db-orig bin/tests/system/rpz/ns2/bl.tld2.db +--- bin/tests/system/rpz/ns2/bl.tld2.db-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns2/bl.tld2.db 2004-01-01 00:00:00.000000000 +0000 @@ -0,0 +1,27 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; @@ -2721,20 +2716,19 @@ Index: bin/tests/system/rpz/ns2/bl.tld2.db + A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . -Index: bin/tests/system/rpz/ns2/named.conf -=================================================================== ---- bin/tests/system/rpz/ns2/named.conf.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/ns2/named.conf 2014-01-21 17:56:13.519661546 +0100 +diff -r -u bin/tests/system/rpz/ns2/named.conf-orig bin/tests/system/rpz/ns2/named.conf +--- bin/tests/system/rpz/ns2/named.conf-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns2/named.conf 2004-01-01 00:00:00.000000000 +0000 @@ -32,14 +32,6 @@ notify no; }; -key rndc_key { -- secret "1234abcd8765"; -- algorithm hmac-sha256; +- secret "1234abcd8765"; +- algorithm hmac-sha256; -}; -controls { -- inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +- inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; -}; - include "../trusted.conf"; @@ -2746,10 +2740,9 @@ Index: bin/tests/system/rpz/ns2/named.conf -zone "bl.tld2." {type master; file "bl.tld2.db"; notify yes; notify-delay 1;}; +zone "bl.tld2." {type master; file "bl.tld2.db";}; -Index: bin/tests/system/rpz/ns2/tld2.db -=================================================================== ---- bin/tests/system/rpz/ns2/tld2.db.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/ns2/tld2.db 2014-01-21 17:56:13.519661546 +0100 +diff -r -u bin/tests/system/rpz/ns2/tld2.db-orig bin/tests/system/rpz/ns2/tld2.db +--- bin/tests/system/rpz/ns2/tld2.db-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns2/tld2.db 2004-01-01 00:00:00.000000000 +0000 @@ -111,6 +111,9 @@ A 192.168.5.2 TXT "a5-1-2 tld2 text" @@ -2760,10 +2753,9 @@ Index: bin/tests/system/rpz/ns2/tld2.db a5-3 A 192.168.5.3 TXT "a5-3 tld2 text" -Index: bin/tests/system/rpz/ns3/base.db -=================================================================== ---- bin/tests/system/rpz/ns3/base.db.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/ns3/base.db 2014-01-21 17:56:13.519661546 +0100 +diff -r -u bin/tests/system/rpz/ns3/base.db-orig bin/tests/system/rpz/ns3/base.db +--- bin/tests/system/rpz/ns3/base.db-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns3/base.db 2004-01-01 00:00:00.000000000 +0000 @@ -21,30 +21,7 @@ ; Its contents are also changed with nsupdate @@ -2797,10 +2789,9 @@ Index: bin/tests/system/rpz/ns3/base.db -; (or whatever) is available by publishing "foo A 10.2.3.4" and then -; resolving foo. -32.3.2.1.127.rpz-ip CNAME walled.invalid. -Index: bin/tests/system/rpz/ns3/named.conf -=================================================================== ---- bin/tests/system/rpz/ns3/named.conf.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/ns3/named.conf 2014-01-21 17:56:13.520661557 +0100 +diff -r -u bin/tests/system/rpz/ns3/named.conf-orig bin/tests/system/rpz/ns3/named.conf +--- bin/tests/system/rpz/ns3/named.conf-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns3/named.conf 2004-01-01 00:00:00.000000000 +0000 @@ -46,20 +46,24 @@ zone "bl-cname" policy cname txt-only.tld2.; zone "bl-wildcname" policy cname *.tld4.; @@ -2844,19 +2835,17 @@ Index: bin/tests/system/rpz/ns3/named.conf zone "crash1.tld2" {type master; file "crash1";}; zone "crash2.tld3." {type master; file "crash2";}; -Index: bin/tests/system/rpz/ns5/named.args -=================================================================== ---- bin/tests/system/rpz/ns5/named.args.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/ns5/named.args 2014-01-21 17:56:13.520661557 +0100 +diff -r -u bin/tests/system/rpz/ns5/named.args-orig bin/tests/system/rpz/ns5/named.args +--- bin/tests/system/rpz/ns5/named.args-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns5/named.args 2004-01-01 00:00:00.000000000 +0000 @@ -1,3 +1,3 @@ # run the performace test close to real life --c named.conf -g +-c named.conf -gd3 -Index: bin/tests/system/rpz/ns5/named.conf -=================================================================== ---- bin/tests/system/rpz/ns5/named.conf.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/ns5/named.conf 2014-01-21 17:56:13.520661557 +0100 +diff -r -u bin/tests/system/rpz/ns5/named.conf-orig bin/tests/system/rpz/ns5/named.conf +--- bin/tests/system/rpz/ns5/named.conf-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns5/named.conf 2004-01-01 00:00:00.000000000 +0000 @@ -40,7 +40,7 @@ key rndc_key { @@ -2887,10 +2876,9 @@ Index: bin/tests/system/rpz/ns5/named.conf +zone "bl17." {type master; file "bl.db"; }; +zone "bl18." {type master; file "bl.db"; }; +zone "bl19." {type master; file "bl.db"; }; -Index: bin/tests/system/rpz/ns5/tld5.db -=================================================================== ---- bin/tests/system/rpz/ns5/tld5.db.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/ns5/tld5.db 2014-01-21 17:56:13.520661557 +0100 +diff -r -u bin/tests/system/rpz/ns5/tld5.db-orig bin/tests/system/rpz/ns5/tld5.db +--- bin/tests/system/rpz/ns5/tld5.db-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/ns5/tld5.db 2004-01-01 00:00:00.000000000 +0000 @@ -22,42 +22,10 @@ NS ns1 NS ns2 @@ -2934,10 +2922,9 @@ Index: bin/tests/system/rpz/ns5/tld5.db $ORIGIN example.tld5. -Index: bin/tests/system/rpz/setup.sh -=================================================================== ---- bin/tests/system/rpz/setup.sh.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/setup.sh 2014-01-21 17:56:13.520661557 +0100 +diff -r -u bin/tests/system/rpz/setup.sh-orig bin/tests/system/rpz/setup.sh +--- bin/tests/system/rpz/setup.sh-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/setup.sh 2004-01-01 00:00:00.000000000 +0000 @@ -26,11 +26,13 @@ sh clean.sh @@ -3025,10 +3012,9 @@ Index: bin/tests/system/rpz/setup.sh }' >ns5/requests - -cp ns2/bl.tld2.db.in ns2/bl.tld2.db -Index: bin/tests/system/rpz/test1 -=================================================================== ---- bin/tests/system/rpz/test1.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/test1 2014-01-21 17:56:13.520661557 +0100 +diff -r -u bin/tests/system/rpz/test1-orig bin/tests/system/rpz/test1 +--- bin/tests/system/rpz/test1-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/test1 2004-01-01 00:00:00.000000000 +0000 @@ -24,13 +24,13 @@ ; QNAME tests @@ -3072,10 +3058,9 @@ Index: bin/tests/system/rpz/test1 +; 34 qname-wait-recurse yes +update add x.servfail.bl. 300 A 127.0.0.34 send -Index: bin/tests/system/rpz/test2 -=================================================================== ---- bin/tests/system/rpz/test2.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/test2 2014-01-21 17:56:13.520661557 +0100 +diff -r -u bin/tests/system/rpz/test2-orig bin/tests/system/rpz/test2 +--- bin/tests/system/rpz/test2-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/test2 2004-01-01 00:00:00.000000000 +0000 @@ -58,7 +58,7 @@ send @@ -3094,10 +3079,9 @@ Index: bin/tests/system/rpz/test2 +; 17 +update add 32.1.0.53.10.rpz-client-ip.bl 300 A 127.0.0.17 +send -Index: bin/tests/system/rpz/test5 -=================================================================== ---- bin/tests/system/rpz/test5.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/test5 2014-01-21 17:56:13.520661557 +0100 +diff -r -u bin/tests/system/rpz/test5-orig bin/tests/system/rpz/test5 +--- bin/tests/system/rpz/test5-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/test5 2004-01-01 00:00:00.000000000 +0000 @@ -35,10 +35,8 @@ ; 4 update add a3-4.tld2.bl-disabled. 300 A 127.0.0.4 @@ -3120,10 +3104,9 @@ Index: bin/tests/system/rpz/test5 +; 19 +update add a3-19.tld2.bl-tcp-only. 300 A 127.0.0.19 +send -Index: bin/tests/system/rpz/test6 -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bin/tests/system/rpz/test6 2014-01-21 17:56:13.521661569 +0100 +diff -r -u bin/tests/system/rpz/test6-orig bin/tests/system/rpz/test6 +--- bin/tests/system/rpz/test6-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/test6 2004-01-01 00:00:00.000000000 +0000 @@ -0,0 +1,40 @@ +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") +; @@ -3165,10 +3148,9 @@ Index: bin/tests/system/rpz/test6 +update add *.credirect.bl. 300 CNAME google.com. +; +send -Index: bin/tests/system/rpz/tests.sh -=================================================================== ---- bin/tests/system/rpz/tests.sh.orig 2013-12-20 01:28:28.000000000 +0100 -+++ bin/tests/system/rpz/tests.sh 2014-01-21 17:56:13.521661569 +0100 +diff -r -u bin/tests/system/rpz/tests.sh-orig bin/tests/system/rpz/tests.sh +--- bin/tests/system/rpz/tests.sh-orig 2004-01-01 00:00:00.000000000 +0000 ++++ bin/tests/system/rpz/tests.sh 2004-01-01 00:00:00.000000000 +0000 @@ -21,15 +21,15 @@ . $SYSTEMTESTTOP/conf.sh @@ -3518,11 +3500,10 @@ Index: bin/tests/system/rpz/tests.sh # restart the main test RPZ server to see if that creates a core file if test -z "$HAVE_CORE"; then -Index: doc/arm/Bv9ARM-book.xml -=================================================================== ---- doc/arm/Bv9ARM-book.xml.orig 2013-12-20 01:28:28.000000000 +0100 -+++ doc/arm/Bv9ARM-book.xml 2014-01-21 17:56:13.524661605 +0100 -@@ -4870,7 +4870,7 @@ +diff -r -u doc/arm/Bv9ARM-book.xml-orig doc/arm/Bv9ARM-book.xml +--- doc/arm/Bv9ARM-book.xml-orig 2004-01-01 00:00:00.000000000 +0000 ++++ doc/arm/Bv9ARM-book.xml 2004-01-01 00:00:00.000000000 +0000 +@@ -4873,7 +4873,7 @@ min-table-size number ; } ; response-policy { zone_name @@ -3531,7 +3512,7 @@ Index: doc/arm/Bv9ARM-book.xml recursive-only yes_or_no max-policy-ttl number ; } recursive-only yes_or_no max-policy-ttl number break-dnssec yes_or_no min-ns-dots number ; -@@ -9164,77 +9164,122 @@ +@@ -9167,77 +9167,122 @@ Response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view. @@ -3710,7 +3691,7 @@ Index: doc/arm/Bv9ARM-book.xml Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. -@@ -9253,83 +9298,168 @@ +@@ -9256,83 +9301,168 @@ When the processing of a response is restarted to resolve DNAME or CNAME records and a policy record set has not been triggered, @@ -3946,7 +3927,7 @@ Index: doc/arm/Bv9ARM-book.xml with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to -@@ -9338,15 +9468,43 @@ +@@ -9341,15 +9471,43 @@ @@ -3999,7 +3980,7 @@ Index: doc/arm/Bv9ARM-book.xml -@@ -9374,26 +9532,38 @@ +@@ -9377,26 +9535,38 @@ ; QNAME policy records. There are no periods (.) after the owner names. nxdomain.domain.com CNAME . ; NXDOMAIN policy @@ -4041,10 +4022,9 @@ Index: doc/arm/Bv9ARM-book.xml RPZ can affect server performance. -Index: lib/dns/db.c -=================================================================== ---- lib/dns/db.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/db.c 2014-01-21 17:56:13.525661616 +0100 +diff -r -u lib/dns/db.c-orig lib/dns/db.c +--- lib/dns/db.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/db.c 2004-01-01 00:00:00.000000000 +0000 @@ -1007,21 +1007,23 @@ (db->methods->resigned)(db, rdataset, version); } @@ -4084,10 +4064,9 @@ Index: lib/dns/db.c + return (ISC_R_SUCCESS); + return ((db->methods->rpz_ready)(db)); } -Index: lib/dns/ecdb.c -=================================================================== ---- lib/dns/ecdb.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/ecdb.c 2014-01-21 17:56:13.525661616 +0100 +diff -r -u lib/dns/ecdb.c-orig lib/dns/ecdb.c +--- lib/dns/ecdb.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/ecdb.c 2004-01-01 00:00:00.000000000 +0000 @@ -582,8 +582,8 @@ NULL, /* resigned */ NULL, /* isdnssec */ @@ -4099,10 +4078,9 @@ Index: lib/dns/ecdb.c NULL, /* findnodeext */ NULL /* findext */ }; -Index: lib/dns/include/dns/db.h -=================================================================== ---- lib/dns/include/dns/db.h.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/include/dns/db.h 2014-01-21 17:56:13.525661616 +0100 +diff -r -u lib/dns/include/dns/db.h-orig lib/dns/include/dns/db.h +--- lib/dns/include/dns/db.h-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/include/dns/db.h 2004-01-01 00:00:00.000000000 +0000 @@ -172,14 +172,9 @@ dns_dbversion_t *version); isc_boolean_t (*isdnssec)(dns_db_t *db); @@ -4160,10 +4138,9 @@ Index: lib/dns/include/dns/db.h */ ISC_LANG_ENDDECLS -Index: lib/dns/include/dns/rpz.h -=================================================================== ---- lib/dns/include/dns/rpz.h.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/include/dns/rpz.h 2014-01-21 17:56:13.526661629 +0100 +diff -r -u lib/dns/include/dns/rpz.h-orig lib/dns/include/dns/rpz.h +--- lib/dns/include/dns/rpz.h-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/include/dns/rpz.h 2004-01-01 00:00:00.000000000 +0000 @@ -25,19 +25,31 @@ #include #include @@ -4478,10 +4455,9 @@ Index: lib/dns/include/dns/rpz.h ISC_LANG_ENDDECLS -Index: lib/dns/include/dns/view.h -=================================================================== ---- lib/dns/include/dns/view.h.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/include/dns/view.h 2014-01-21 17:56:13.526661629 +0100 +diff -r -u lib/dns/include/dns/view.h-orig lib/dns/include/dns/view.h +--- lib/dns/include/dns/view.h-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/include/dns/view.h 2004-01-01 00:00:00.000000000 +0000 @@ -164,10 +164,7 @@ dns_acl_t * v4_aaaa_acl; dns_dns64list_t dns64; @@ -4494,10 +4470,9 @@ Index: lib/dns/include/dns/view.h /* * Configurable data for server use only, -Index: lib/dns/include/dns/zone.h -=================================================================== ---- lib/dns/include/dns/zone.h.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/include/dns/zone.h 2014-01-21 17:56:13.526661629 +0100 +diff -r -u lib/dns/include/dns/zone.h-orig lib/dns/include/dns/zone.h +--- lib/dns/include/dns/zone.h-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/include/dns/zone.h 2004-01-01 00:00:00.000000000 +0000 @@ -2081,19 +2081,20 @@ */ @@ -4523,10 +4498,9 @@ Index: lib/dns/include/dns/zone.h void dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level); -Index: lib/dns/rbtdb.c -=================================================================== ---- lib/dns/rbtdb.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/rbtdb.c 2014-01-21 17:56:13.528661652 +0100 +diff -r -u lib/dns/rbtdb.c-orig lib/dns/rbtdb.c +--- lib/dns/rbtdb.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/rbtdb.c 2004-01-01 00:00:00.000000000 +0000 @@ -453,7 +453,9 @@ dns_rbt_t * tree; dns_rbt_t * nsec; @@ -4597,7 +4571,7 @@ Index: lib/dns/rbtdb.c "dns_rbt_deletenode: %s", isc_result_totext(result)); } -@@ -2538,14 +2550,15 @@ +@@ -2540,14 +2552,15 @@ result = dns_rbt_addnode(tree, name, &node); if (result == ISC_R_SUCCESS) { #ifdef BIND9 @@ -4615,7 +4589,7 @@ Index: lib/dns/rbtdb.c } #endif dns_rbt_namefromnode(node, &nodename); -@@ -4547,228 +4560,45 @@ +@@ -4549,228 +4562,45 @@ return (result); } @@ -4713,23 +4687,23 @@ Index: lib/dns/rbtdb.c - switch (rdata.type) { - case dns_rdatatype_a: - INSIST(rdata.length == 4); -- memcpy(&ina.s_addr, rdata.data, 4); +- memmove(&ina.s_addr, rdata.data, 4); - isc_netaddr_fromin(&netaddr, &ina); - break; - case dns_rdatatype_aaaa: - INSIST(rdata.length == 16); -- memcpy(in6a.s6_addr, rdata.data, 16); +- memmove(in6a.s6_addr, rdata.data, 16); - isc_netaddr_fromin6(&netaddr, &in6a); - break; - default: - continue; - } - +- - result = dns_rpz_cidr_find(rbtdb->rpz_cidr, &netaddr, rpz_type, - selfname, qname, &prefix); - if (result != ISC_R_SUCCESS) - continue; -- + - /* - * If we already have a rule, discard this new rule if - * is not better. @@ -4868,9 +4842,9 @@ Index: lib/dns/rbtdb.c } #endif -@@ -6874,8 +6704,9 @@ - noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep); +@@ -6938,8 +6768,9 @@ + done: #ifdef BIND9 - if (noderesult == ISC_R_SUCCESS && rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_addip(rbtdb->rpz_cidr, name); @@ -4878,9 +4852,9 @@ Index: lib/dns/rbtdb.c + noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num, + name); #endif - - if (!hasnsec) -@@ -7060,6 +6891,20 @@ + if (noderesult == ISC_R_SUCCESS || noderesult == ISC_R_EXISTS) + *nodep = node; +@@ -7074,6 +6905,20 @@ RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); @@ -4901,7 +4875,7 @@ Index: lib/dns/rbtdb.c REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING)) == 0); rbtdb->attributes |= RBTDB_ATTR_LOADING; -@@ -7461,8 +7306,8 @@ +@@ -7476,8 +7321,8 @@ isdnssec, NULL, #ifdef BIND9 @@ -4912,7 +4886,7 @@ Index: lib/dns/rbtdb.c #else NULL, NULL, -@@ -7776,6 +7621,9 @@ +@@ -7791,6 +7636,9 @@ } rbtdb->attributes = 0; rbtdb->task = NULL; @@ -4922,10 +4896,9 @@ Index: lib/dns/rbtdb.c /* * Version Initialization. -Index: lib/dns/rpz.c -=================================================================== ---- lib/dns/rpz.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/rpz.c 2014-01-21 17:56:13.529661664 +0100 +diff -r -u lib/dns/rpz.c-orig lib/dns/rpz.c +--- lib/dns/rpz.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/rpz.c 2004-01-01 00:00:00.000000000 +0000 @@ -37,6 +37,7 @@ #include #include @@ -7213,7 +7186,8 @@ Index: lib/dns/rpz.c - * but there are objections. + * but some people object. */ - memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w)); +- memmove(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w)); ++ memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w)); for (i = 0; i < 4; i++) { tgt_ip.w[i] = ntohl(src_ip6.w[i]); } @@ -7392,10 +7366,9 @@ Index: lib/dns/rpz.c */ if (dns_name_equal(&cname.cname, &rpz->passthru)) return (DNS_RPZ_POLICY_PASSTHRU); -Index: lib/dns/view.c -=================================================================== ---- lib/dns/view.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/view.c 2014-01-21 17:56:13.530661676 +0100 +diff -r -u lib/dns/view.c-orig lib/dns/view.c +--- lib/dns/view.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/view.c 2004-01-01 00:00:00.000000000 +0000 @@ -197,9 +197,7 @@ view->maxbits = 0; view->v4_aaaa = dns_v4_aaaa_ok; @@ -7417,79 +7390,10 @@ Index: lib/dns/view.c #ifdef USE_RRL dns_rrl_view_destroy(view); #else /* USE_RRL */ -Index: lib/dns/win32/libdns.def -=================================================================== ---- lib/dns/win32/libdns.def.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/win32/libdns.def 2014-01-21 17:56:13.530661676 +0100 -@@ -130,8 +130,8 @@ - dns_db_overmem - dns_db_printnode - dns_db_register --dns_db_rpz_enabled --dns_db_rpz_findips -+dns_db_rpz_attach -+dns_db_rpz_ready - dns_db_subtractrdataset - dns_db_unregister - dns_dbiterator_current -@@ -639,17 +639,22 @@ - dns_result_torcode - dns_result_totext - dns_rootns_create -+dns_rpz_add -+dns_rpz_attach_rpzs -+dns_rpz_beginload - dns_rpz_cidr_addip --dns_rpz_cidr_deleteip - dns_rpz_cidr_find --dns_rpz_cidr_free - dns_rpz_decode_cname --dns_rpz_enabled_get --dns_rpz_new_cidr -+dns_rpz_delete -+dns_rpz_delete_node -+dns_rpz_detach_rpzs -+dns_rpz_find_ip -+dns_rpz_find_name -+dns_rpz_new_zones - dns_rpz_policy2str -+dns_rpz_ready - dns_rpz_str2policy - dns_rpz_type2str --dns_rpz_view_destroy - dns_rriterator_current - dns_rriterator_destroy - dns_rriterator_first -@@ -810,7 +815,7 @@ - dns_zone_forcereload - dns_zone_forwardupdate - dns_zone_fulldumptostream --dns_zone_get_rpz -+dns_zone_get_rpz_num - dns_zone_getadded - dns_zone_getchecknames - dns_zone_getclass -@@ -838,6 +843,7 @@ - dns_zone_getqueryonacl - dns_zone_getraw - dns_zone_getrequeststats -+dns_zone_getrpz_num - dns_zone_getserial - dns_zone_getserial2 - dns_zone_getserialupdatemethod -@@ -875,6 +881,7 @@ - dns_zone_refresh - dns_zone_rekey - dns_zone_replacedb -+dns_zone_rpz_attach - dns_zone_rpz_enable - dns_zone_setacache - dns_zone_setadded -Index: lib/dns/xfrin.c -=================================================================== ---- lib/dns/xfrin.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/xfrin.c 2014-01-21 17:56:13.530661676 +0100 -@@ -280,7 +280,7 @@ +diff -r -u lib/dns/xfrin.c-orig lib/dns/xfrin.c +--- lib/dns/xfrin.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/xfrin.c 2004-01-01 00:00:00.000000000 +0000 +@@ -279,7 +279,7 @@ 0, NULL, /* XXX guess */ dbp); if (result == ISC_R_SUCCESS) @@ -7498,11 +7402,10 @@ Index: lib/dns/xfrin.c return (result); } -Index: lib/dns/zone.c -=================================================================== ---- lib/dns/zone.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/dns/zone.c 2014-01-21 17:56:13.533661711 +0100 -@@ -346,9 +346,10 @@ +diff -r -u lib/dns/zone.c-orig lib/dns/zone.c +--- lib/dns/zone.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/dns/zone.c 2004-01-01 00:00:00.000000000 +0000 +@@ -357,9 +357,10 @@ isc_boolean_t added; /*% @@ -7515,7 +7418,7 @@ Index: lib/dns/zone.c /*% * Serial number update method. -@@ -915,7 +916,8 @@ +@@ -940,7 +941,8 @@ zone->nodes = 100; zone->privatetype = (dns_rdatatype_t)0xffffU; zone->added = ISC_FALSE; @@ -7525,7 +7428,7 @@ Index: lib/dns/zone.c ISC_LIST_INIT(zone->forwards); zone->raw = NULL; zone->secure = NULL; -@@ -1019,6 +1021,13 @@ +@@ -1043,6 +1045,13 @@ zone_detachdb(zone); if (zone->acache != NULL) dns_acache_detach(&zone->acache); @@ -7539,7 +7442,7 @@ Index: lib/dns/zone.c zone_freedbargs(zone); RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0) == ISC_R_SUCCESS); -@@ -1511,7 +1520,9 @@ +@@ -1535,7 +1544,9 @@ * Set the response policy index and information for a zone. */ isc_result_t @@ -7550,7 +7453,7 @@ Index: lib/dns/zone.c /* * Only RBTDB zones can be used for response policy zones, * because only they have the code to load the create the summary data. -@@ -1522,26 +1533,37 @@ +@@ -1546,26 +1557,37 @@ strcmp(zone->db_argv[0], "rbt64") != 0) return (ISC_R_NOTIMPLEMENTED); @@ -7598,7 +7501,7 @@ Index: lib/dns/zone.c } static isc_result_t -@@ -1997,9 +2019,7 @@ +@@ -2025,9 +2047,7 @@ isc_result_t tresult; unsigned int options; @@ -7609,7 +7512,7 @@ Index: lib/dns/zone.c options = get_master_options(zone); if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) options |= DNS_MASTER_MANYERRORS; -@@ -4177,6 +4197,11 @@ +@@ -4210,6 +4230,11 @@ if (result != ISC_R_SUCCESS) goto cleanup; } else { @@ -7621,9 +7524,9 @@ Index: lib/dns/zone.c zone_attachdb(zone, db); ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); DNS_ZONE_SETFLAG(zone, -@@ -13142,6 +13167,12 @@ - REQUIRE(DNS_ZONE_VALID(zone)); - REQUIRE(LOCKED_ZONE(zone)); +@@ -13455,6 +13480,12 @@ + if (inline_raw(zone)) + REQUIRE(LOCKED_ZONE(zone->secure)); +#ifdef BIND9 + result = dns_db_rpz_ready(db); @@ -7634,10 +7537,9 @@ Index: lib/dns/zone.c result = zone_get_from_db(zone, db, &nscount, &soacount, NULL, NULL, NULL, NULL, NULL, NULL); if (result == ISC_R_SUCCESS) { -Index: lib/isccfg/namedconf.c -=================================================================== ---- lib/isccfg/namedconf.c.orig 2013-12-20 01:28:28.000000000 +0100 -+++ lib/isccfg/namedconf.c 2014-01-21 17:56:13.534661723 +0100 +diff -r -u lib/isccfg/namedconf.c-orig lib/isccfg/namedconf.c +--- lib/isccfg/namedconf.c-orig 2004-01-01 00:00:00.000000000 +0000 ++++ lib/isccfg/namedconf.c 2004-01-01 00:00:00.000000000 +0000 @@ -1054,11 +1054,12 @@ /*% @@ -7685,15 +7587,15 @@ Index: lib/isccfg/namedconf.c { NULL, NULL, 0 } }; static cfg_type_t cfg_type_rpz = { -Index: version -=================================================================== ---- version.orig 2013-12-20 01:28:28.000000000 +0100 -+++ version 2014-01-21 17:56:13.534661723 +0100 -@@ -7,6 +7,6 @@ +diff -r -u version-orig version +--- version-orig 2004-01-01 00:00:00.000000000 +0000 ++++ version 2004-01-01 00:00:00.000000000 +0000 +@@ -7,7 +7,7 @@ DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=9 --PATCHVER=4 -+PATCHVER=4-rpz2.13269.14 +-PATCHVER=5 ++PATCHVER=5-rpz2+rl.14038.05 RELEASETYPE=-P - RELEASEVER=2 + RELEASEVER=1 + EXTENSIONS=