tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0 #1079
Comments
|
The functionality for RPZ CNAME handling started working better in 1.20.0, and this has a bug that tags are not handled correctly. The bugfix for this issue has the tag handling fixed in the code that deals with RPZ iterator callbacks. That also fixes tag handling for other RPZ triggers and RPZ actions. |
wcawijngaards
added a commit
that referenced
this issue
May 30, 2024
info is like no taglist intersection.
|
Another bug fix for cases where no tag is set and also due to the query type the respip client_info is a NULL pointer, it should be handled like no tags are matched. |
jedisct1
added a commit
to jedisct1/unbound
that referenced
this issue
Jun 16, 2024
* nlnet/master: (35 commits) - Add unit test for validation of repeated use of a DNAME record. - Fix validation for repeated use of a DNAME record. - Fix typos for 'the the' in text. - Fix memory leak in setup of dsa sig. - Skip unbound-dnstap-socket unit test when not compiled with --enable-debug. - Fix to squelch connection reset by peer errors from log. And fix that the tcp read errors are labeled as initial for the first calls. - Fix memory leak on exit for unbound-dnstap-socket; creates false negatives during testing. - Fix memory leak when reload_keep_cache is used and num-threads changes. - Enable AddressSanitizer error detection in tdir tests. - Fix for NLnetLabs#1079: fix RPZ taglist in iterator callback that no client info is like no taglist intersection. - Fix NLnetLabs#1079: tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0. Changelog note for NLnetLabs#1078. - Merge NLnetLabs#1078: Only check old pid if no username. Only check old pid if no username - Update patch to remove 'command' shell builtin and update error text. unbound-control-setup: check openssl - Fix unused variable warning on compilation with no thread support. - Fix spelling of tcp-idle-timeout docs, from Michael Tokarev. - Fix to enable that SERVFAIL is cached, for a short period, for more cases. In the cases where limits are exceeded. Changelog entry for NLnetLabs#1059: - Fix NLnetLabs#1059: Intermittent DNS blocking failure with local-zone and always_nxdomain. Addition of local_zones dynamically via unbound-control was not finding the zone's parent correctly. Proper parent identification for dynamically entered local zones (NLnetLabs#1076) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
After upgrade from 1.19.3 to 1.20.0 tagged rpz zones are always used.
To reproduce
Steps to reproduce the behavior:
archive.ubuntu.com.rpz.test.intern. 300 IN CNAME install.intern.Expected behavior
dig @127.0.0.1 archive.ubuntu.com +nocommentshouldn't return rpz modified data but it does.with unbound 1.19.3:
However with unbound 1.20.0 the following answer is returned:
System:
Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/libexec/platform-python --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/var/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --enable-dnstap --with-rootkey-file=/var/lib/unbound/root.key
Linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1k FIPS 25 Mar 2021
Linked modules: dns64 python ipsecmod subnetcache respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
Additional information
The same happens if using access-control-tags.
The text was updated successfully, but these errors were encountered: