search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
2.89k stars 337 forks source link

Unbound RPZ 1.20.0 no longer respects access-control-tag. #1095

Open deteque opened 1 week ago

deteque commented 1 week ago

Describe the bug We have a cluster of unbound servers that utilize access-control-tags for RPZ access. On 1.19.3 these tags work as expected and only apply the RPZ zones to clients with the tag configured. After upgrading to 1.20.0 all configured RPZ zones are applied to all clients regardless of client IP

To reproduce Steps to reproduce the behavior:

  1. Install unbound 1.19.3
  2. Configure access-control-tags for source client IP and configure RPZ zones to use those tags.
  3. Perform DNS queries against the instance to confirm that it works
  4. Update to unbound 1.20.0
  5. Perform DNS queries to instance and see that all RPZ zones are applied regardless of tags set

Expected behavior Unbound should only apply RPZ zones to clients with the relevant access-control-tags set, instead all RPZ zones are being applied to all clients regardless of which access-control-tags are set.

System:

Configure line: --prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc --with-libevent --enable-dnstap Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.11 19 Sep 2023 Linked modules: dns64 respip validator iterator

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues



**Additional information**
Add any other information that you may have gathered about the issue here.
wcawijngaards commented 1 week ago

Could it be that this is already fixed with https://github.com/NLnetLabs/unbound/commit/b6c7ea563f8c1c3c6753923a36e3e29c22f6b683 and https://github.com/NLnetLabs/unbound/commit/4b30e88eec76bc12819fe0fe1da97fad00ba7d98 ? These are also fixes for 1.20.0 for rpz and the use of tags.

Those fixes were made for #1079 .

The fixes are available from the code repository. That passes unit tests, and that includes a test for access-control-tag and rpz, in testdata/rpz_cname_tag.rpl( https://github.com/NLnetLabs/unbound/blob/master/testdata/rpz_cname_tag.rpl ).