Unbound RPZ 1.20.0 no longer respects access-control-tag.
deteque opened this issue · 1 comments
Describe the bug
We have a cluster of unbound servers that utilize access-control-tags for RPZ access. On 1.19.3 these tags work as expected and only apply the RPZ zones to clients with the tag configured. After upgrading to 1.20.0 all configured RPZ zones are applied to all clients regardless of client IP
To reproduce
Steps to reproduce the behavior:
- Install unbound 1.19.3
- Configure access-control-tags for source client IP and configure RPZ zones to use those tags.
- Perform DNS queries against the instance to confirm that it works
- Update to unbound 1.20.0
- Perform DNS queries to instance and see that all RPZ zones are applied regardless of tags set
Expected behavior
Unbound should only apply RPZ zones to clients with the relevant access-control-tags set, instead all RPZ zones are being applied to all clients regardless of which access-control-tags are set.
System:
- Unbound version: 1.20.0
- OS: Debian GNU/Linux 12 (bookworm)
unbound -Voutput:
Version 1.20.0
Configure line: --prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc --with-libevent --enable-dnstap
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.11 19 Sep 2023
Linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
Additional information
Add any other information that you may have gathered about the issue here.
Could it be that this is already fixed with b6c7ea5 and 4b30e88 ? These are also fixes for 1.20.0 for rpz and the use of tags.
Those fixes were made for #1079 .
The fixes are available from the code repository. That passes unit tests, and that includes a test for access-control-tag and rpz, in testdata/rpz_cname_tag.rpl( https://github.com/NLnetLabs/unbound/blob/master/testdata/rpz_cname_tag.rpl ).