Commit 08e36aa5 authored by Mark Andrews's avatar Mark Andrews

4356. [func] Add the ability to specify whether to wait for

                        nameserver addresses to be looked up or not to
                        rpz with a new modifying directive 'nsip-wait-recurse'.                         [RT #35009]
parent f1a2709a
4356. [func] Add the ability to specify whether to wait for
nameserver addresses to be looked up or not to
rpz with a new modifying directive 'nsip-wait-recurse'.
[RT #35009]
4355. [func] "pkcs11-list" now displays the extractability
attribute of private or secret keys stored in
an HSM, as either "true", "false", or "never"
......
......@@ -4258,6 +4258,49 @@ rpz_get_zbits(ns_client_t *client,
return (zbits);
}
static void
query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) {
isc_result_t result;
isc_sockaddr_t *peeraddr;
dns_rdataset_t *tmprdataset;
ns_client_t *dummy = NULL;
unsigned int options;
if (client->query.prefetch != NULL)
return;
if (client->recursionquota == NULL) {
result = isc_quota_attach(&ns_g_server->recursionquota,
&client->recursionquota);
if (result == ISC_R_SUCCESS && !client->mortal && !TCP(client))
result = ns_client_replace(client);
if (result != ISC_R_SUCCESS)
return;
isc_stats_increment(ns_g_server->nsstats,
dns_nsstatscounter_recursclients);
}
tmprdataset = query_newrdataset(client);
if (tmprdataset == NULL)
return;
if (!TCP(client))
peeraddr = &client->peeraddr;
else
peeraddr = NULL;
ns_client_attach(client, &dummy);
options = client->query.fetchoptions;
result = dns_resolver_createfetch3(client->view->resolver, qname, type,
NULL, NULL, NULL, peeraddr,
client->message->id, options, 0,
NULL, client->task, prefetch_done,
client, tmprdataset, NULL,
&client->query.prefetch);
if (result != ISC_R_SUCCESS) {
query_putrdataset(client, &tmprdataset);
ns_client_detach(&dummy);
}
}
/*
* Get an NS, A, or AAAA rrset related to the response for the client
* to check the contents of that rrset for hits by eligible policy zones.
......@@ -4359,6 +4402,9 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
*/
if (rpz_type == DNS_RPZ_TYPE_IP) {
result = DNS_R_NXRRSET;
} else if (!client->view->rpzs->p.nsip_wait_recurse) {
query_rpzfetch(client, name, type);
result = DNS_R_NXRRSET;
} else {
dns_name_copy(name, st->r_name, NULL);
result = query_recurse(client, type, st->r_name,
......
......@@ -1933,6 +1933,12 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
else
new->p.qname_wait_recurse = ISC_FALSE;
sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse");
if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj))
new->p.nsip_wait_recurse = ISC_TRUE;
else
new->p.nsip_wait_recurse = ISC_FALSE;
pview = NULL;
result = dns_viewlist_find(&ns_g_server->viewlist,
view->name, view->rdclass, &pview);
......
#!/usr/bin/perl -w
#
# Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
use IO::File;
use IO::Socket;
use Net::DNS;
use Net::DNS::Packet;
my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5",
LocalPort => 5300, Proto => "udp") or die "$!";
my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
print $pidf "$$\n" or die "cannot write pid file: $!";
$pidf->close or die "cannot close pid file: $!";
sub rmpid { unlink "ans.pid"; exit 1; };
$SIG{INT} = \&rmpid;
$SIG{TERM} = \&rmpid;
for (;;) {
$sock->recv($buf, 512);
print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
my $packet;
if ($Net::DNS::VERSION > 0.68) {
$packet = new Net::DNS::Packet(\$buf, 0);
$@ and die $@;
} else {
my $err;
($packet, $err) = new Net::DNS::Packet(\$buf, 0);
$err and die $err;
}
print "REQUEST:\n";
$packet->print;
$packet->header->qr(1);
my @questions = $packet->question;
my $qname = $questions[0]->qname;
my $qtype = $questions[0]->qtype;
my $donotrespond = 0;
$packet->header->aa(1);
if ($qtype eq "A") {
$packet->push("answer",
new Net::DNS::RR($qname .
" 300 A 10.53.0.5"));
#} elsif ($qtype eq "AAAA") {
#$packet->push("answer",
#new Net::DNS::RR($qname .
#" 300 AAAA 2001:db8:beef::1"));
} elsif ($qtype eq "NS") {
$donotrespond = 1;
}
if ($donotrespond == 0) {
$sock->send($packet->data);
print "RESPONSE:\n";
$packet->print;
print "\n";
} else {
print "DROP:\n";
}
}
......@@ -15,10 +15,11 @@
# Clean up after rpz tests.
rm -f dig.out.*
rm -f ns2/named.conf
rm -f ns2/*.local
rm -f ns2/*.queries
rm -f ns2/named.[0-9]*.conf
rm -f ns*/named.lock
rm -f ns*/named.memstats
rm -f ns*/named.run
rm -f ns2/*.local
rm -f ns2/*.queries
rm -f ns2/named.[0-9]*.conf
rm -f ns2/named.conf
rm -f ns3/named.conf
$TTL 0
@ SOA . . 0 0 0 0 0
@ NS ns
ns A 10.53.0.3
child NS ns.child
ns.child A 10.53.0.4
/*
* Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
include "../../common/rndc.key";
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
response-policy { zone "policy"; };
};
zone "policy" { type master; file "policy.db"; };
zone "example.tld" { type master; file "example.db"; };
zone "." { type master; file "root.db"; };
/*
* Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
include "../../common/rndc.key";
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
};
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
response-policy { zone "policy"; } nsip-wait-recurse no;
};
zone "policy" { type master; file "policy.db"; };
zone "example.tld" { type master; file "example.db"; };
zone "." { type master; file "root.db"; };
$TTL 0
@ SOA . . 0 0 0 0 0
@ NS .
32.100.0.53.10.rpz-nsip CNAME .
$TTL 0
@ SOA . . 0 0 0 0 0
@ NS ns
ns A 10.53.0.3
foo NS foo.ns5
ns5.foo A 10.53.0.5
$TTL 0
@ SOA . . 0 0 0 0 0
@ NS ns
ns A 10.53.0.4
foo NS ns.foo
foo NS ns.foo.
ns.foo A 10.53.0.5
/*
* Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
};
zone "child.example.tld" { type master; file "child.example.db"; };
......@@ -19,3 +19,4 @@ SYSTEMTESTTOP=..
perl testgen.pl
cp -f ns2/named.default.conf ns2/named.conf
cp -f ns3/named1.conf ns3/named.conf
......@@ -310,4 +310,30 @@ grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
status=1
}
t=`expr $t + 1`
echo "I:checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
echo "I:timing 'nsip-wait-recurse yes' (default)"
ret=0
t1=`$PERL -e 'print time()."\n";'`
$DIG -p 5300 @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
t2=`$PERL -e 'print time()."\n";'`
p1=`expr $t2 - $t1`
echo "I:elasped time $p1 seconds"
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 flush
cp -f ns3/named2.conf ns3/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload > /dev/null
echo "I:timing 'nsip-wait-recurse no'"
t3=`$PERL -e 'print time()."\n";'`
$DIG -p 5300 @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
t4=`$PERL -e 'print time()."\n";'`
p2=`expr $t4 - $t3`
echo "I:elasped time $p2 seconds"
if test $p1 -le $p2; then ret=1; fi
if test $ret != 0; then echo "I:failed"; fi
status=`expr $status + $ret`
exit $status
......@@ -4669,6 +4669,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> max-policy-ttl <replaceable>number</replaceable> </optional>
<optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional>
<optional> min-ns-dots <replaceable>number</replaceable> </optional>
<optional> nsip-wait-recurse <replaceable>yes_or_no</replaceable> </optional>
<optional> qname-wait-recurse <replaceable>yes_or_no</replaceable> </optional>
<optional> automatic-interface-scan <replaceable>yes_or_no</replaceable> </optional>
; </optional>
......@@ -10057,12 +10058,32 @@ deny-answer-aliases { "example.net"; };
<term><command>RPZ-NSIP</command></term>
<listitem>
<para>
NSIP triggers are encoded like IP triggers except as
NSIP triggers match the IP addresses of authoritative
servers. They are enncoded like IP triggers, except as
subdomains of <command>rpz-nsip</command>.
NSDNAME and NSIP triggers are checked only for names with at
least <command>min-ns-dots</command> dots.
The default value of <command>min-ns-dots</command> is 1 to
exclude top level domains.
The default value of <command>min-ns-dots</command> is
1, to exclude top level domains.
</para>
<para>
If a name server's IP address is not yet known,
<command>named</command> will recursively look up
the IP address before applying an RPZ-NSIP rule.
This can cause a processing delay. To speed up
processing at the cost of precision, the
<command>nsip-wait-recurse</command> option
can be used: when set to <userinput>no</userinput>,
RPZ-NSIP rules will only be applied when a name
servers's IP address has already been looked up and
cached. If a server's IP address is not in the
cache, then the RPZ-NSIP rule will be ignored,
but the address will be looked up in the
background, and the rule will be applied
to subsequent queries. The default is
<userinput>yes</userinput>, meaning RPZ-NSIP
rules should always be applied even if an
address needs to be looked up first.
</para>
</listitem>
</varlistentry>
......
......@@ -156,15 +156,15 @@ options {
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
files ( unlimited | default | <sizeval> );
filter-aaaa { <address_match_element>; ... }; // not configured
filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
filter-aaaa { <address_match_element>; ... };
filter-aaaa-on-v4 ( break-dnssec | <boolean> );
filter-aaaa-on-v6 ( break-dnssec | <boolean> );
flush-zones-on-shutdown <boolean>;
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs ( <quoted_string> | none ); // not configured
geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>;
has-old-clients <boolean>; // obsolete
heartbeat-interval <integer>;
host-statistics <boolean>; // not implemented
......@@ -267,13 +267,13 @@ options {
require-server-cookie <boolean>;
reserved-sockets <integer>;
resolver-query-timeout <integer>;
response-policy { zone <quoted_string> [ policy ( given | disabled
| passthru | no-op | drop | tcp-only | nxdomain | nodata |
cname <quoted_string> ) ] [ recursive-only <boolean> ] [ log
<boolean> ] [ max-policy-ttl <integer> ]; ... } [
recursive-only <boolean> ] [ break-dnssec <boolean> ] [
max-policy-ttl <integer> ] [ min-ns-dots <integer> ] [
qname-wait-recurse <boolean> ];
response-policy { zone <quoted_string> [ log <boolean> ] [
max-policy-ttl <integer> ] [ policy ( given | disabled |
passthru | no-op | drop | tcp-only | nxdomain | nodata | cname
<quoted_string> ) ] [ recursive-only <boolean> ]; ... } [
break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
rfc2308-type1 <boolean>; // not yet implemented
root-delegation-only [ exclude { <quoted_string>; ... } ];
rrset-order { [ class <string> ] [ type <string> ] [ name
......@@ -452,9 +452,9 @@ view <string> [ <class> ] {
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
filter-aaaa { <address_match_element>; ... }; // not configured
filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
filter-aaaa { <address_match_element>; ... };
filter-aaaa-on-v4 ( break-dnssec | <boolean> );
filter-aaaa-on-v6 ( break-dnssec | <boolean> );
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
......@@ -542,13 +542,13 @@ view <string> [ <class> ] {
request-sit <boolean>; // obsolete
require-server-cookie <boolean>;
resolver-query-timeout <integer>;
response-policy { zone <quoted_string> [ policy ( given | disabled
| passthru | no-op | drop | tcp-only | nxdomain | nodata |
cname <quoted_string> ) ] [ recursive-only <boolean> ] [ log
<boolean> ] [ max-policy-ttl <integer> ]; ... } [
recursive-only <boolean> ] [ break-dnssec <boolean> ] [
max-policy-ttl <integer> ] [ min-ns-dots <integer> ] [
qname-wait-recurse <boolean> ];
response-policy { zone <quoted_string> [ log <boolean> ] [
max-policy-ttl <integer> ] [ policy ( given | disabled |
passthru | no-op | drop | tcp-only | nxdomain | nodata | cname
<quoted_string> ) ] [ recursive-only <boolean> ]; ... } [
break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
rfc2308-type1 <boolean>; // not yet implemented
root-delegation-only [ exclude { <quoted_string>; ... } ];
rrset-order { [ class <string> ] [ type <string> ] [ name
......
......@@ -176,6 +176,7 @@ struct dns_rpz_popt {
dns_rpz_zbits_t no_log;
isc_boolean_t break_dnssec;
isc_boolean_t qname_wait_recurse;
isc_boolean_t nsip_wait_recurse;
unsigned int min_ns_labels;
dns_rpz_num_t num_zones;
};
......
......@@ -1440,10 +1440,10 @@ static cfg_type_t cfg_type_rpz_policy = {
};
static cfg_tuplefielddef_t rpz_zone_fields[] = {
{ "zone name", &cfg_type_rpz_zone, 0 },
{ "policy", &cfg_type_rpz_policy, 0 },
{ "recursive-only", &cfg_type_boolean, 0 },
{ "log", &cfg_type_boolean, 0 },
{ "max-policy-ttl", &cfg_type_uint32, 0 },
{ "policy", &cfg_type_rpz_policy, 0 },
{ "recursive-only", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_rpz_tuple = {
......@@ -1458,11 +1458,12 @@ static cfg_type_t cfg_type_rpz_list = {
};
static cfg_tuplefielddef_t rpz_fields[] = {
{ "zone list", &cfg_type_rpz_list, 0 },
{ "recursive-only", &cfg_type_boolean, 0 },
{ "break-dnssec", &cfg_type_boolean, 0 },
{ "max-policy-ttl", &cfg_type_uint32, 0 },
{ "min-ns-dots", &cfg_type_uint32, 0 },
{ "nsip-wait-recurse", &cfg_type_boolean, 0 },
{ "qname-wait-recurse", &cfg_type_boolean, 0 },
{ "recursive-only", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_rpz = {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment