Commit 984f2cea authored by Mark Andrews's avatar Mark Andrews
Browse files

Check that RPZ 'CNAME *.' (NODATA) works with DNS64.

(cherry picked from commit b9dc9b68)
parent 712d991b
......@@ -33,3 +33,8 @@ ns.tld5. A 10.53.0.5
; generate SERVFAIL
servfail NS ns.tld2.
a-only.example A 1.2.3.4
no-a-no-aaaa.example TXT placeholder
a-plus-aaaa.example A 1.2.3.4
a-plus-aaaa.example AAAA ::1
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 120 NS ns.
ns. 120 A 10.53.0.1
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* DNS64 / RPZ server.
*/
options {
query-source address 10.53.0.9;
notify-source 10.53.0.9;
transfer-source 10.53.0.9;
port @PORT@;
pid-file "named.pid";
statistics-file "named.stats";
session-keyfile "session.key";
listen-on { 10.53.0.9; };
listen-on-v6 { none; };
notify yes;
minimal-responses no;
recursion yes;
dnssec-validation yes;
dns64-server "example.localdomain.";
dns64 64:ff9b::/96 { };
response-policy {
zone "rpz";
}
qname-wait-recurse no ;
include "../dnsrps.conf";
notify-delay 0;
};
logging { category rpz { default_debug; }; };
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." { type hint; file "hints"; };
zone "rpz." {
type master;
file "rpz.db";
notify no;
};
rpz. 28800 IN SOA rpz. hostmaster.rpz. 6 10800 3600 2419200 900
rpz. 28800 IN NS .
a-only.example.rpz. 28800 IN CNAME *.
no-a-no-aaaa.example.rpz. 28800 IN CNAME *.
a-plus-aaaa.example.rpz. 28800 IN CNAME *.
......@@ -51,6 +51,7 @@ copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
copy_setports dnsrpzd.conf.in dnsrpzd.conf
......
......@@ -856,6 +856,33 @@ EOF
grep "status: SERVFAIL" dig.out.$t > /dev/null || setret "failed"
fi
# RPZ 'CNAME *.' (NODATA) trumps DNS64. Test against various DNS64 senarios.
for label in a-only no-a-no-aaaa a-plus-aaaa
do
for type in AAAA A
do
t=`expr $t + 1`
case $label in
a-only)
echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A-only (${t})"
;;
no-a-no-aaaa)
echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with no A or AAAA (${t})"
;;
a-plus-aaaa)
echo_i "checking rpz 'CNAME *.' (NODATA) with dns64, $type lookup with A and AAAA (${t})"
;;
esac
ret=0
$DIG ${label}.example -p ${PORT} $type @10.53.0.9 > dig.out.${t}
grep "status: NOERROR" dig.out.$t > /dev/null || ret=1
grep "ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2$" dig.out.$t > /dev/null || ret=1
grep "^rpz" dig.out.$t > /dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
done
done
[ $status -ne 0 ] && pf=fail || pf=pass
case $mode in
native)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment