From 8dbf46913b6b29d0be791cd8ed323c913d468827 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Mon, 18 Mar 2024 14:36:29 +0100
Subject: [PATCH] - Fix rpz for qtype CNAME after nameserver trigger.

---
 doc/Changelog                |   1 +
 iterator/iterator.c          |   5 +-
 testdata/rpz_qtype_cname.rpl | 120 +++++++++++++++++++++++++++++++++++
 3 files changed, 125 insertions(+), 1 deletion(-)
 create mode 100644 testdata/rpz_qtype_cname.rpl

diff --git a/doc/Changelog b/doc/Changelog
index 1086f18e3..421d79a96 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,7 @@
 	- Fix rpz that copies the cname override completely to the temp
 	  region, so there are no references to the rpz region.
 	- Add rpz unit test for nsip action override.
+	- Fix rpz for qtype CNAME after nameserver trigger.
 
 15 March 2024: Yorgos
 	- Merge #1030: Persist the openssl and expat directories for repeated
diff --git a/iterator/iterator.c b/iterator/iterator.c
index ad67a3241..b6d0b67d4 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1458,6 +1458,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 					forged_response->rep, iq->qchase.qname,
 					iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
 					iq->qchase.qclass) &&
+					iq->qchase.qtype != LDNS_RR_TYPE_CNAME &&
 					count++ < ie->max_query_restarts) {
 					/* another cname to follow */
 					if(!handle_cname_response(qstate, iq, forged_response,
@@ -2750,7 +2751,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	if(qstate->env->auth_zones) {
 		uint8_t* sname = NULL;
 		size_t snamelen = 0;
-		/* apply rpz triggers at query time */
+		/* apply rpz triggers at query time; nameserver IP and dname */
 		struct dns_msg* forged_response_after_cname;
 		struct dns_msg* forged_response = rpz_callback_from_iterator_module(qstate, iq);
 		int count = 0;
@@ -2758,6 +2759,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 			forged_response->rep, iq->qchase.qname,
 			iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
 			iq->qchase.qclass) &&
+			iq->qchase.qtype != LDNS_RR_TYPE_CNAME &&
 			count++ < ie->max_query_restarts) {
 			/* another cname to follow */
 			if(!handle_cname_response(qstate, iq, forged_response,
@@ -3391,6 +3393,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 				forged_response->rep, iq->qchase.qname,
 				iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
 				iq->qchase.qclass) &&
+				iq->qchase.qtype != LDNS_RR_TYPE_CNAME &&
 				count++ < ie->max_query_restarts) {
 				/* another cname to follow */
 				if(!handle_cname_response(qstate, iq, forged_response,
diff --git a/testdata/rpz_qtype_cname.rpl b/testdata/rpz_qtype_cname.rpl
new file mode 100644
index 000000000..fa5674a0f
--- /dev/null
+++ b/testdata/rpz_qtype_cname.rpl
@@ -0,0 +1,120 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+www.gotham.a CNAME foo.target.a.
+32.42.30.20.10.rpz-nsip CNAME foo.target.a.
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ with qtype CNAME.
+
+; a.
+RANGE_BEGIN 0 1000
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham.a. IN A
+SECTION AUTHORITY
+gotham.a. NS ns1.gotham.a.
+SECTION ADDITIONAL
+ns1.gotham.a. A 10.20.30.41
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham2.a. IN NS
+SECTION AUTHORITY
+gotham2.a. NS ns1.gotham2.a.
+SECTION ADDITIONAL
+ns1.gotham2.a. A 10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+target.a. IN A
+SECTION ANSWER
+target.a. IN A 1.2.3.6
+ENTRY_END
+RANGE_END
+
+; gotham2.a.
+RANGE_BEGIN 0 1000
+	ADDRESS 10.20.30.42
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham2.a. IN CNAME
+SECTION ANSWER
+www.gotham2.a. CNAME foo2.target.a.
+ENTRY_END
+RANGE_END
+
+; Query for type CNAME, from the RPZ response
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham.a.	IN	CNAME
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA
+SECTION QUESTION
+www.gotham.a.	IN	CNAME
+SECTION ANSWER
+www.gotham.a.	IN	CNAME foo.target.a.
+ENTRY_END
+
+; Query for type CNAME, the answer is nameserver lookup, CNAME from rpz nsip.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham2.a.	IN	CNAME
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham2.a.	IN	CNAME
+SECTION ANSWER
+www.gotham2.a.	IN	CNAME foo.target.a.
+ENTRY_END
+
+SCENARIO_END