Bug #39999 for bind9-public: RPZ NSDNAME does not rewrite answers as documented (and as in BIND 9.8.3)

Hi. Recently we turned on NSIP and NSDNAME RPZ functionality in BIND 9.8.3 we distribute in RHEL-6. Our QA has a simple test consisting of one RPZ zone with NSDNAME and NSIP rules (see the attached files). As part of the test, they query named for www.redhat.cz using dig. Now the RPZ zone "badlist" contains NSDNAME rules for all NS used by the "cz." domain. With bind 9.8.3 the query is rewritten by RPZ rules. In RHEL-7 with bind 9.9.4 and in Fedora with bind 9.10.2-P1 the behavior differs. Although queries to anything from *.nic.cz are rewritten by the RPZ correctly, the www.redhat.cz (and also for www.<anything>.cz) query succeeds even though NS for cz. TLD are filtered. The documentation says that: "NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME." (from ARM section 6.2.16.2 about RPZ). Since "cz." authoritative servers are parent of the query name for anything in *.cz., all queries in "cz." domain should be rewritten by the RPZ policy. Note that *.nic.cz is blocked most probably because their authoritative NS are the same as for "cz." since they are the registry for "cz." TLD. So far I was not able to determine the code or change that causes the different behavior from BIND 9.8.3. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com

---