Commit d6357f09 authored by Mark Andrews's avatar Mark Andrews
Browse files

4329. [func] Warn about a common misconfiguration when forwarding

                        RFC 1918 zones. [RT #41441]
parent 8dbf9ceb
4329. [func] Warn about a common misconfiguration when forwarding
RFC 1918 zones. [RT #41441]
4328. [performance] Add dns_name_fromwire() benchmark test. [RT #41694]
4327. [func] Log query and depth counters during fetches when
......
zone 10.in-addr.arpa {
type forward;
forwarders { 1.2.3.4; };
};
zone 10.in-addr.arpa {
type forward;
forward first;
forwarders { 1.2.3.4; };
};
......@@ -123,5 +123,19 @@ grep "status: NOERROR" dig.out.q4 > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking that rfc1918 inherited 'forward first;' zones are warned about"
ret=0
$CHECKCONF rfc1918-inherited.conf | grep "forward first;" >/dev/null || ret=1
$CHECKCONF rfc1918-notinherited.conf | grep "forward first;" >/dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking that ULA inherited 'forward first;' zones are warned about"
ret=0
$CHECKCONF ula-inherited.conf | grep "forward first;" >/dev/null || ret=1
$CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
zone d.f.ip6.arpa {
type forward;
forwarders { 1.2.3.4; };
};
zone d.f.ip6.arpa {
type forward;
forward first;
forwarders { 1.2.3.4; };
};
......@@ -1504,6 +1504,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
dns_name_t *zname = NULL;
isc_buffer_t b;
isc_boolean_t root = ISC_FALSE;
isc_boolean_t rfc1918 = ISC_FALSE;
isc_boolean_t ula = ISC_FALSE;
const cfg_listelt_t *element;
isc_boolean_t dlz;
dns_masterformat_t masterformat;
......@@ -1699,6 +1701,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
result = tresult;
if (dns_name_equal(zname, dns_rootname))
root = ISC_TRUE;
else if (dns_name_isrfc1918(zname))
rfc1918 = ISC_TRUE;
else if (dns_name_isula(zname))
ula = ISC_TRUE;
}
/*
......@@ -1968,6 +1974,32 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
if (check_forward(zoptions, obj, logctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
/*
* Check that a RFC 1918 / ULA reverse zone is not forward first
* unless explictly configured to be so.
*/
if (ztype == FORWARDZONE && (rfc1918 || ula)) {
obj = NULL;
(void)cfg_map_get(zoptions, "forward", &obj);
if (obj == NULL) {
/*
* Forward mode not explicity configured.
*/
if (voptions != NULL)
cfg_map_get(voptions, "forward", &obj);
if (obj == NULL && goptions != NULL)
cfg_map_get(goptions, "forward", &obj);
if (obj == NULL ||
strcasecmp(cfg_obj_asstring(obj), "first") == 0)
cfg_obj_log(zconfig, logctx, ISC_LOG_WARNING,
"inherited 'forward first;' for "
"%s zone '%s' - did you want "
"'forward only;'?",
rfc1918 ? "rfc1918" : "ula",
znamestr);
}
}
/*
* Check validity of static stub server addresses.
*/
......
......@@ -1292,6 +1292,18 @@ dns_name_isdnssd(const dns_name_t *owner);
* Determine if the 'owner' is a DNS-SD prefix.
*/
isc_boolean_t
dns_name_isrfc1918(const dns_name_t *owner);
/*%<
* Determine if the 'name' is in the RFC 1918 reverse namespace.
*/
isc_boolean_t
dns_name_isula(const dns_name_t *owner);
/*%<
* Determine if the 'name' is in the ULA reverse namespace.
*/
ISC_LANG_ENDDECLS
/*
......
......@@ -2636,3 +2636,87 @@ dns_name_isdnssd(const dns_name_t *name) {
return (ISC_FALSE);
}
#define NS_NAME_INIT(A,B) \
{ \
DNS_NAME_MAGIC, \
A, sizeof(A), sizeof(B), \
DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
B, NULL, { (void *)-1, (void *)-1}, \
{NULL, NULL} \
}
static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
static dns_name_t const rfc1918names[] = {
NS_NAME_INIT(inaddr10, inaddr10_offsets),
NS_NAME_INIT(inaddr16172, inaddr172_offsets),
NS_NAME_INIT(inaddr17172, inaddr172_offsets),
NS_NAME_INIT(inaddr18172, inaddr172_offsets),
NS_NAME_INIT(inaddr19172, inaddr172_offsets),
NS_NAME_INIT(inaddr20172, inaddr172_offsets),
NS_NAME_INIT(inaddr21172, inaddr172_offsets),
NS_NAME_INIT(inaddr22172, inaddr172_offsets),
NS_NAME_INIT(inaddr23172, inaddr172_offsets),
NS_NAME_INIT(inaddr24172, inaddr172_offsets),
NS_NAME_INIT(inaddr25172, inaddr172_offsets),
NS_NAME_INIT(inaddr26172, inaddr172_offsets),
NS_NAME_INIT(inaddr27172, inaddr172_offsets),
NS_NAME_INIT(inaddr28172, inaddr172_offsets),
NS_NAME_INIT(inaddr29172, inaddr172_offsets),
NS_NAME_INIT(inaddr30172, inaddr172_offsets),
NS_NAME_INIT(inaddr31172, inaddr172_offsets),
NS_NAME_INIT(inaddr168192, inaddr192_offsets)
};
isc_boolean_t
dns_name_isrfc1918(const dns_name_t *name) {
size_t i;
for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++)
if (dns_name_issubdomain(name, &rfc1918names[i]))
return (ISC_TRUE);
return (ISC_FALSE);
}
static unsigned char ulaoffsets[] = { 0, 2, 4, 8, 13 };
static unsigned char ip6fc[] = "\001c\001f\003ip6\004ARPA";
static unsigned char ip6fd[] = "\001d\001f\003ip6\004ARPA";
static dns_name_t const ulanames[] = {
NS_NAME_INIT(ip6fc, ulaoffsets),
NS_NAME_INIT(ip6fd, ulaoffsets),
};
isc_boolean_t
dns_name_isula(const dns_name_t *name) {
size_t i;
for (i = 0; i < (sizeof(ulanames)/sizeof(*ulanames)); i++)
if (dns_name_issubdomain(name, &ulanames[i]))
return (ISC_TRUE);
return (ISC_FALSE);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment