BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2018-03-19T22:14:23Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/164Remove useless OpenSSL warning from configure script2018-03-19T22:14:23ZOndřej SurýRemove useless OpenSSL warning from configure scriptThere's a OpenSSL warning in `configure` script that's obsolete:
> The latest stable version is the 1.1.0 series. The 1.0.2 series is our Long Term Support (LTS) release, supported until 31st December 2019. The 0.9.8, 1.0.0 and 1.0.1 ve...There's a OpenSSL warning in `configure` script that's obsolete:
> The latest stable version is the 1.1.0 series. The 1.0.2 series is our Long Term Support (LTS) release, supported until 31st December 2019. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support and should not be used.
and it should be removed as it is not BIND's place to teach users to update their system anyway.BIND-9.13.0Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/165Always use OpenSSL or PKCS#11 random data providers2021-05-19T16:44:22ZOndřej SurýAlways use OpenSSL or PKCS#11 random data providersCurrently, we support OpenSSL, PKCS#11 or own (libisc) random bytes provider. Remove the embedded entropy provider and always use crypto library providers.Currently, we support OpenSSL, PKCS#11 or own (libisc) random bytes provider. Remove the embedded entropy provider and always use crypto library providers.BIND-9.13.0Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/166statistics system test numbering is bad2018-03-19T22:14:37ZMark Andrewsstatistics system test numbering is badBIND-9.13.0Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/167coverity: Dereferencing a null pointer in lib/dns/tests/rbt_test.c2018-03-19T22:56:03ZGhost Usercoverity: Dereferencing a null pointer in lib/dns/tests/rbt_test.c```
** CID 1430161: (NULL_RETURNS)
/lib/dns/tests/rbt_test.c: 1142 in atfu_rbt_addname_body()
/lib/dns/tests/rbt_test.c: 1153 in atfu_rbt_addname_body()
_______________________________________________________________________________...```
** CID 1430161: (NULL_RETURNS)
/lib/dns/tests/rbt_test.c: 1142 in atfu_rbt_addname_body()
/lib/dns/tests/rbt_test.c: 1153 in atfu_rbt_addname_body()
________________________________________________________________________________________________________
*** CID 1430161: (NULL_RETURNS)
/lib/dns/tests/rbt_test.c: 1142 in atfu_rbt_addname_body()
1136 result = dns_test_begin(NULL, ISC_TRUE);
1137 ATF_CHECK_EQ(result, ISC_R_SUCCESS);
1138
1139 ctx = test_context_setup();
1140
1141 n = isc_mem_get(mctx, sizeof(size_t));
>>> CID 1430161: (NULL_RETURNS)
>>> Dereferencing a null pointer "n".
1142 *n = 1;
1143
1144 dns_test_namefromstring("d.e.f.g.h.i.j.k", &fname);
1145 name = dns_fixedname_name(&fname);
1146
1147 /* Add a name that doesn't exist */
/lib/dns/tests/rbt_test.c: 1153 in atfu_rbt_addname_body()
1147 /* Add a name that doesn't exist */
1148 result = dns_rbt_addname(ctx->rbt, name, n);
1149 ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
1150
1151 /* Now add again, should get ISC_R_EXISTS */
1152 n = isc_mem_get(mctx, sizeof(size_t));
>>> CID 1430161: (NULL_RETURNS)
>>> Dereferencing a null pointer "n".
1153 *n = 2;
1154 result = dns_rbt_addname(ctx->rbt, name, n);
1155 ATF_REQUIRE_EQ(result, ISC_R_EXISTS);
1156 isc_mem_put(mctx, n, sizeof(size_t));
1157
1158 test_context_teardown(ctx);
```BIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/168coverity: Incorrect shifting in DNS_RPZ_ZMASK2018-03-19T22:14:45ZGhost Usercoverity: Incorrect shifting in DNS_RPZ_ZMASK```
________________________________________________________________________________________________________
*** CID 1430160: (BAD_SHIFT)
/lib/ns/query.c: 2610 in rpz_get_zbits()
2604 * the smallest name,
2605 ...```
________________________________________________________________________________________________________
*** CID 1430160: (BAD_SHIFT)
/lib/ns/query.c: 2610 in rpz_get_zbits()
2604 * the smallest name,
2605 * the longest IP address prefix,
2606 * the lexically smallest address.
2607 */
2608 if (st->m.policy != DNS_RPZ_POLICY_MISS) {
2609 if (st->m.type >= rpz_type) {
>>> CID 1430160: (BAD_SHIFT)
>>> In expression "1 << st->m.rpz->num + 1", left shifting by more than 31 bits has undefined behavior. The shift amount, "st->m.rpz->num + 1", is as much as 63.
2610 zbits &= DNS_RPZ_ZMASK(st->m.rpz->num);
2611 } else{
2612 zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1;
2613 }
2614 }
2615
/lib/ns/query.c: 2612 in rpz_get_zbits()
2606 * the lexically smallest address.
2607 */
2608 if (st->m.policy != DNS_RPZ_POLICY_MISS) {
2609 if (st->m.type >= rpz_type) {
2610 zbits &= DNS_RPZ_ZMASK(st->m.rpz->num);
2611 } else{
>>> CID 1430160: (BAD_SHIFT)
>>> In expression "1 << st->m.rpz->num + 1", left shifting by more than 31 bits has undefined behavior. The shift amount, "st->m.rpz->num + 1", is as much as 63.
2612 zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1;
2613 }
2614 }
2615
2616 /*
2617 * If the client wants recursion, allow only compatible policies.
```BIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/169rpzrecurse test fails on v9_9_sub branch due to SERVFAIL cache2019-04-25T15:45:51ZGhost Userrpzrecurse test fails on v9_9_sub branch due to SERVFAIL cacherpzrecurse test fails on v9_9_sub branch due to SERVFAIL cache interfering with the RCODE returned for clientip tests.
See: https://bind-build.isc.org//bind9/v9_9_sub/libtool/amd64-unknown-freebsd10.3/daemon2.lab.isc.org/default/2018-03...rpzrecurse test fails on v9_9_sub branch due to SERVFAIL cache interfering with the RCODE returned for clientip tests.
See: https://bind-build.isc.org//bind9/v9_9_sub/libtool/amd64-unknown-freebsd10.3/daemon2.lab.isc.org/default/2018-03-18_19:41:05_UTC/test.txt
```
I:rpzrecurse:starting resolver using named.clientip.conf
I:rpzrecurse:testing CLIENT-IP behavior #2 (63)
I:rpzrecurse:stopping resolver
I:rpzrecurse:starting resolver using named.clientip2.conf
I:rpzrecurse:test 63 failed: query failed
I:rpzrecurse:test 63 failed: query failed
I:rpzrecurse:test 63 failed: didn't get expected answer
```https://gitlab.isc.org/isc-projects/bind9/-/issues/171problems detected by LGTM static analyzer2018-04-22T20:01:36ZEvan Huntproblems detected by LGTM static analyzerhttps://lgtm.com/projects/g/isc-projects/bind9/alerts?mode=listhttps://lgtm.com/projects/g/isc-projects/bind9/alerts?mode=listBIND-9.13.0Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/173option to disable responding with cookies2018-05-18T11:05:02ZBrian Conryoption to disable responding with cookiesThe use case is a resolver farm with multiple DNS implementations that are expected to all behave as alike as possible. If the other implementation does not support DNS cookies then it is up to BIND to not respond to clients with them w...The use case is a resolver farm with multiple DNS implementations that are expected to all behave as alike as possible. If the other implementation does not support DNS cookies then it is up to BIND to not respond to clients with them when requested.
Either build-time or in named.conf should be acceptable.https://gitlab.isc.org/isc-projects/bind9/-/issues/174Non-standard behavior when encountering single record alias loops2018-11-08T19:17:05ZGhost UserNon-standard behavior when encountering single record alias loopsIt appears BIND has non-standard (both RFC and ecosystem) behavior when encountering single record CNAME alias loop. When a loop in encountered BIND properly terminates the recursion logic but returns a non-error RCODE and the CNAME it e...It appears BIND has non-standard (both RFC and ecosystem) behavior when encountering single record CNAME alias loop. When a loop in encountered BIND properly terminates the recursion logic but returns a non-error RCODE and the CNAME it encountered.
When I first saw this I thought the issue was with normal loops (i.e. loop-a.com -> loop-b.com -> loop-a.com) but BIND behaves correctly when encountering this (throwing a SERVFAIL), the issue is with a slightly more strange single record loop (loop-a.com -> loop-a.com). My initial assumption was there was some specific reason for doing this but I was unable to find one (albeit my search was rather brief so I may have missed something) and as far as I can tell none of the other major resolvers display this behavior.
Using the following zone here are my testing results from BIND, Unbound, PowerDNS, and Google's public resolver.
Zone:
```
loop.testing.bracewel.net. IN CNAME loop.testing.bracewel.net.
```
Results:
```
BIND 9.12.1:
$ dig a loop.testing.bracewel.net @localhost -p 8053
; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38730
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;loop.testing.bracewel.net. IN A
;; ANSWER SECTION:
loop.testing.bracewel.net. 0 IN CNAME loop.testing.bracewel.net.
;; Query time: 1492 msec
;; SERVER: 127.0.0.1#8053(127.0.0.1)
;; WHEN: Tue Mar 20 15:10:15 GMT 2018
;; MSG SIZE rcvd: 68
```
```
Unbound 1.6.5:
$ dig a loop.testing.bracewel.net @localhost -p 8153
; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8153
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57714
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1252
;; QUESTION SECTION:
;loop.testing.bracewel.net. IN A
;; Query time: 477 msec
;; SERVER: 127.0.0.1#8153(127.0.0.1)
;; WHEN: Tue Mar 20 15:35:54 GMT 2018
;; MSG SIZE rcvd: 54
```
```
PowerDNS 4.1.1:
$ dig a loop.testing.bracewel.net @localhost -p 8253
; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @localhost -p 8253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65153
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;loop.testing.bracewel.net. IN A
;; ANSWER SECTION:
loop.testing.bracewel.net. 0 IN CNAME loop.testing.bracewel.net.
;; Query time: 168 msec
;; SERVER: 127.0.0.1#8253(127.0.0.1)
;; WHEN: Tue Mar 20 15:47:23 GMT 2018
;; MSG SIZE rcvd: 68
```
```
Google:
$ dig a loop.testing.bracewel.net @8.8.8.8
; <<>> DiG 9.9.7-P3 <<>> a loop.testing.bracewel.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19269
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;loop.testing.bracewel.net. IN A
;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 20 15:11:36 GMT 2018
;; MSG SIZE rcvd: 54
```BIND 9.12.4https://gitlab.isc.org/isc-projects/bind9/-/issues/175Refactor hmac functions to reduce duplication of the code2018-11-08T18:59:41ZOndřej SurýRefactor hmac functions to reduce duplication of the codeWhile looking at a way how to use either OpenSSL or PKCS#11 hashing functions, I found a lot of duplicated code in the HMAC functions.While looking at a way how to use either OpenSSL or PKCS#11 hashing functions, I found a lot of duplicated code in the HMAC functions.https://gitlab.isc.org/isc-projects/bind9/-/issues/176Test build BIND 9 against openssl-1.1.1-pre32018-05-23T10:32:22ZMark AndrewsTest build BIND 9 against openssl-1.1.1-pre3https://gitlab.isc.org/isc-projects/bind9/-/issues/177initial advertised EDNS UDP buffer size problem2018-03-30T06:50:24ZGhost Userinitial advertised EDNS UDP buffer size problembind change the initial UDP buffer size to 512(from bind 9.10.0), result in usging tcp query ROOT & GTLD Server after bind starting.
as both root & gtld's edns response size greater than 512 bytes.
after bind restart, the recurs...bind change the initial UDP buffer size to 512(from bind 9.10.0), result in usging tcp query ROOT & GTLD Server after bind starting.
as both root & gtld's edns response size greater than 512 bytes.
after bind restart, the recursion time of bind 9.10 is much longer than bind 9.9 。
```
reading from file g.pcap, link-type EN10MB (Ethernet)
22:17:57.543248 IP (tos 0x0, ttl 64, id 33740, offset 0, flags [none], proto UDP (17), length 67)
hk.63669 > b.root-servers.net.domain: [bad udp cksum 0x1e5a -> 0x2361!] 35054 [1au] A? google.com. ar: . OPT UDPsize=512 DO (39)
22:17:57.543297 IP (tos 0x0, ttl 64, id 33741, offset 0, flags [none], proto UDP (17), length 56)
hk.20276 > b.root-servers.net.domain: [bad udp cksum 0x1e4f -> 0x9e9b!] 28252 [1au] NS? . ar: . OPT UDPsize=512 DO (28)
22:17:57.697250 IP (tos 0x14, ttl 51, id 50860, offset 0, flags [none], proto UDP (17), length 56)
b.root-servers.net.domain > hk.20276: [udp sum ok] 28252*-| q: NS? . 0/0/1 ar: . OPT UDPsize=4096 DO (28)
22:17:57.697472 IP (tos 0x0, ttl 64, id 36179, offset 0, flags [DF], proto TCP (6), length 60)
hk.20454 > b.root-servers.net.domain: Flags [S], cksum 0x1e48 (incorrect -> 0x99e9), seq 1202528439, win 42340, options [mss 1460,sackOK,TS val 2217782756 ecr 0,nop,wscale 11], length 0
22:17:57.701445 IP (tos 0x14, ttl 51, id 50863, offset 0, flags [none], proto UDP (17), length 67)
b.root-servers.net.domain > hk.63669: [udp sum ok] 35054-| q: A? google.com. 0/0/1 ar: . OPT UDPsize=4096 DO (39)
22:17:57.701551 IP (tos 0x0, ttl 64, id 24089, offset 0, flags [DF], proto TCP (6), length 60)
hk.59642 > b.root-servers.net.domain: Flags [S], cksum 0x1e48 (incorrect -> 0x7cf5), seq 4165858289, win 42340, options [mss 1460,sackOK,TS val 2217782760 ecr 0,nop,wscale 11], length 0
22:17:57.852581 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 60)
b.root-servers.net.domain > hk.20454: Flags [S.], cksum 0x63e1 (correct), seq 1881857303, ack 1202528440, win 28960, options [mss 1460,sackOK,TS val 3508620251 ecr 2217782756,nop,wscale 7], length 0
22:17:57.852634 IP (tos 0x0, ttl 64, id 36180, offset 0, flags [DF], proto TCP (6), length 52)
hk.20454 > b.root-servers.net.domain: Flags [.], cksum 0x1e40 (incorrect -> 0x031e), seq 1, ack 1, win 21, options [nop,nop,TS val 2217782911 ecr 3508620251], length 0
22:17:57.852762 IP (tos 0x0, ttl 64, id 36181, offset 0, flags [DF], proto TCP (6), length 82)
hk.20454 > b.root-servers.net.domain: Flags [P.], cksum 0x1e5e (incorrect -> 0xbc43), seq 1:31, ack 1, win 21, options [nop,nop,TS val 2217782911 ecr 3508620251], length 3045932 [1au] NS? . ar: . OPT UDPsize=4096 DO (28)
22:17:57.860436 IP (tos 0x14, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 60)
b.root-servers.net.domain > hk.59642: Flags [S.], cksum 0x432e (correct), seq 53890507, ack 4165858290, win 28960, options [mss 1460,sackOK,TS val 3508620251 ecr 2217782760,nop,wscale 7], length 0
22:17:57.860456 IP (tos 0x0, ttl 64, id 24090, offset 0, flags [DF], proto TCP (6), length 52)
hk.59642 > b.root-servers.net.domain: Flags [.], cksum 0x1e40 (incorrect -> 0xe266), seq 1, ack 1, win 21, options [nop,nop,TS val 2217782919 ecr 3508620251], length 0
22:17:57.860527 IP (tos 0x0, ttl 64, id 24091, offset 0, flags [DF], proto TCP (6), length 93)
hk.59642 > b.root-servers.net.domain: Flags [P.], cksum 0x1e69 (incorrect -> 0x9173), seq 1:42, ack 1, win 21, options [nop,nop,TS val 2217782919 ecr 3508620251], length 415201 [1au] A? google.com. ar: . OPT UDPsize=4096 DO (39)
22:17:58.007824 IP (tos 0x0, ttl 51, id 37272, offset 0, flags [DF], proto TCP (6), length 52)
b.root-servers.net.domain > hk.20454: Flags [.], cksum 0x018b (correct), seq 1, ack 31, win 229, options [nop,nop,TS val 3508620416 ecr 2217782911], length 0
22:17:58.007994 IP (tos 0x0, ttl 51, id 37273, offset 0, flags [DF], proto TCP (6), length 1151)
b.root-servers.net.domain > hk.20454: Flags [P.], cksum 0xf32e (correct), seq 1:1100, ack 31, win 229, options [nop,nop,TS val 3508620416 ecr 2217782911], length 109945932*- q: NS? . 14/0/27 . NS f.root-servers.net., . NS l.root-servers.net., . NS j.root-servers.net., . NS d.root-servers.net., . NS m.root-servers.net., . NS i.root-servers.net., . NS e.root-servers.net., . NS c.root-servers.net., . NS g.root-servers.net., . NS b.root-servers.net., . NS h.root-servers.net., . NS a.root-servers.net., . NS k.root-servers.net., . RRSIG ar: a.root-servers.net. A 198.41.0.4, b.root-servers.net. A 199.9.14.201, c.root-servers.net. A 192.33.4.12, d.root-servers.net. A 199.7.91.13, e.root-servers.net. A 192.203.230.10, f.root-servers.net. A 192.5.5.241, g.root-servers.net. A 192.112.36.4, h.root-servers.net. A 198.97.190.53, i.root-servers.net. A 192.36.148.17, j.root-servers.net. A 192.58.128.30, k.root-servers.net. A 193.0.14.129, l.root-servers.net. A 199.7.83.42, m.root-servers.net. A 202.12.27.33, a.root-servers.net. AAAA 2001:503:ba3e::2:30, b.root-servers.net. AAAA 2001:500:200::b, c.root-servers.net. AAAA 2001:500:2::c, d.root-servers.net. AAAA 2001:500:2d::d, e.root-servers.net. AAAA 2001:500:a8::e, f.root-servers.net. AAAA 2001:500:2f::f, g.root-servers.net. AAAA 2001:500:12::d0d, h.root-servers.net. AAAA 2001:500:1::53, i.root-servers.net. AAAA 2001:7fe::53, j.root-servers.net. AAAA 2001:503:c27::2:30, k.root-servers.net. AAAA 2001:7fd::1, l.root-servers.net. AAAA 2001:500:9f::42, m.root-servers.net. AAAA 2001:dc3::35, . OPT UDPsize=4096 DO (1097)
22:17:58.008018 IP (tos 0x0, ttl 64, id 36182, offset 0, flags [DF], proto TCP (6), length 52)
hk.20454 > b.root-servers.net.domain: Flags [.], cksum 0x1e40 (incorrect -> 0xfd72), seq 31, ack 1100, win 23, options [nop,nop,TS val 2217783066 ecr 3508620416], length 0
22:17:58.008573 IP (tos 0x0, ttl 64, id 36183, offset 0, flags [DF], proto TCP (6), length 52)
hk.20454 > b.root-servers.net.domain: Flags [F.], cksum 0x1e40 (incorrect -> 0xfd70), seq 31, ack 1100, win 23, options [nop,nop,TS val 2217783067 ecr 3508620416], length 0
22:17:58.019490 IP (tos 0x14, ttl 51, id 325, offset 0, flags [DF], proto TCP (6), length 52)
b.root-servers.net.domain > hk.59642: Flags [.], cksum 0xe0bf (correct), seq 1, ack 42, win 229, options [nop,nop,TS val 3508620425 ecr 2217782919], length 0
22:17:58.019657 IP (tos 0x14, ttl 51, id 326, offset 0, flags [DF], proto TCP (6), length 1224)
b.root-servers.net.domain > hk.59642: Flags [P.], cksum 0x4548 (correct), seq 1:1173, ack 42, win 229, options [nop,nop,TS val 3508620425 ecr 2217782919], length 11725201- q: A? google.com. 0/15/27 ns: com. NS h.gtld-servers.net., com. NS m.gtld-servers.net., com. NS l.gtld-servers.net., com. NS j.gtld-servers.net., com. NS i.gtld-servers.net., com. NS g.gtld-servers.net., com. NS f.gtld-servers.net., com. NS b.gtld-servers.net., com. NS a.gtld-servers.net., com. NS c.gtld-servers.net., com. NS e.gtld-servers.net., com. NS k.gtld-servers.net., com. NS d.gtld-servers.net., com. DS, com. RRSIG ar: a.gtld-servers.net. A 192.5.6.30, b.gtld-servers.net. A 192.33.14.30, c.gtld-servers.net. A 192.26.92.30, d.gtld-servers.net. A 192.31.80.30, e.gtld-servers.net. A 192.12.94.30, f.gtld-servers.net. A 192.35.51.30, g.gtld-servers.net. A 192.42.93.30, h.gtld-servers.net. A 192.54.112.30, i.gtld-servers.net. A 192.43.172.30, j.gtld-servers.net. A 192.48.79.30, k.gtld-servers.net. A 192.52.178.30, l.gtld-servers.net. A 192.41.162.30, m.gtld-servers.net. A 192.55.83.30, a.gtld-servers.net. AAAA 2001:503:a83e::2:30, b.gtld-servers.net. AAAA 2001:503:231d::2:30, c.gtld-servers.net. AAAA 2001:503:83eb::30, d.gtld-servers.net. AAAA 2001:500:856e::30, e.gtld-servers.net. AAAA 2001:502:1ca1::30, f.gtld-servers.net. AAAA 2001:503:d414::30, g.gtld-servers.net. AAAA 2001:503:eea3::30, h.gtld-servers.net. AAAA 2001:502:8cc::30, i.gtld-servers.net. AAAA 2001:503:39c1::30, j.gtld-servers.net. AAAA 2001:502:7094::30, k.gtld-servers.net. AAAA 2001:503:d2d::30, l.gtld-servers.net. AAAA 2001:500:d937::30, m.gtld-servers.net. AAAA 2001:501:b1f9::30, . OPT UDPsize=4096 DO (1170)
22:17:58.019670 IP (tos 0x0, ttl 64, id 24092, offset 0, flags [DF], proto TCP (6), length 52)
hk.59642 > b.root-servers.net.domain: Flags [.], cksum 0x1e40 (incorrect -> 0xdc5a), seq 42, ack 1173, win 23, options [nop,nop,TS val 2217783078 ecr 3508620425], length 0
22:17:58.020000 IP (tos 0x0, ttl 64, id 43314, offset 0, flags [none], proto UDP (17), length 67)
hk.15653 > j.gtld-servers.net.domain: [bad udp cksum 0x57d6 -> 0x3e39!] 61482 [1au] A? google.com. ar: . OPT UDPsize=512 DO (39)
22:17:58.020038 IP (tos 0x0, ttl 64, id 24093, offset 0, flags [DF], proto TCP (6), length 52)
hk.59642 > b.root-servers.net.domain: Flags [F.], cksum 0x1e40 (incorrect -> 0xdc59), seq 42, ack 1173, win 23, options [nop,nop,TS val 2217783078 ecr 3508620425], length 0
22:17:58.163676 IP (tos 0x0, ttl 51, id 37274, offset 0, flags [DF], proto TCP (6), length 52)
b.root-servers.net.domain > hk.20454: Flags [F.], cksum 0xfc05 (correct), seq 1100, ack 32, win 229, options [nop,nop,TS val 3508620572 ecr 2217783067], length 0
22:17:58.163726 IP (tos 0x0, ttl 64, id 36184, offset 0, flags [DF], proto TCP (6), length 52)
hk.20454 > b.root-servers.net.domain: Flags [.], cksum 0x1e40 (incorrect -> 0xfc38), seq 32, ack 1101, win 23, options [nop,nop,TS val 2217783222 ecr 3508620572], length 0
22:17:58.175412 IP (tos 0x14, ttl 54, id 43332, offset 0, flags [none], proto UDP (17), length 533)
j.gtld-servers.net.domain > hk.15653: [udp sum ok] 61482-| q: A? google.com. 0/7/4 ns: google.com. NS ns2.google.com., google.com. NS ns1.google.com., google.com. NS ns3.google.com., google.com. NS ns4.google.com., CK0POJMG874LJREF7EFN8430QVIT8BSM.com. Type50, CK0POJMG874LJREF7EFN8430QVIT8BSM.com. RRSIG, S848U70KJDCTE8UH1N07QH2EK7LNOUC6.com. Type50 ar: ns2.google.com. AAAA 2001:4860:4802:34::a, ns2.google.com. A 216.239.34.10, ns1.google.com. AAAA 2001:4860:4802:32::a, . OPT UDPsize=4096 DO (505)
22:17:58.175647 IP (tos 0x0, ttl 64, id 30331, offset 0, flags [DF], proto TCP (6), length 60)
hk.41221 > j.gtld-servers.net.domain: Flags [S], cksum 0x57c4 (incorrect -> 0x6dbe), seq 777836985, win 42340, options [mss 1460,sackOK,TS val 2217783234 ecr 0,nop,wscale 11], length 0
22:17:58.178918 IP (tos 0x14, ttl 51, id 327, offset 0, flags [DF], proto TCP (6), length 52)
b.root-servers.net.domain > hk.59642: Flags [F.], cksum 0xdaeb (correct), seq 1173, ack 43, win 229, options [nop,nop,TS val 3508620584 ecr 2217783078], length 0
22:17:58.178939 IP (tos 0x0, ttl 64, id 24094, offset 0, flags [DF], proto TCP (6), length 52)
hk.59642 > b.root-servers.net.domain: Flags [.], cksum 0x1e40 (incorrect -> 0xdb1a), seq 43, ack 1174, win 23, options [nop,nop,TS val 2217783237 ecr 3508620584], length 0
22:17:58.332020 IP (tos 0x0, ttl 54, id 49700, offset 0, flags [none], proto TCP (6), length 44)
j.gtld-servers.net.domain > hk.41221: Flags [S.], cksum 0x3f2c (correct), seq 3326577671, ack 777836986, win 1460, options [mss 1460], length 0
22:17:58.332154 IP (tos 0x0, ttl 64, id 30332, offset 0, flags [DF], proto TCP (6), length 40)
hk.41221 > j.gtld-servers.net.domain: Flags [.], cksum 0x57b0 (incorrect -> 0xb738), seq 1, ack 1, win 42340, length 0
22:17:58.332320 IP (tos 0x0, ttl 64, id 30333, offset 0, flags [DF], proto TCP (6), length 81)
hk.41221 > j.gtld-servers.net.domain: Flags [P.], cksum 0x57d9 (incorrect -> 0x20e9), seq 1:42, ack 1, win 42340, length 4122957 [1au] A? google.com. ar: . OPT UDPsize=4096 DO (39)
22:17:58.488944 IP (tos 0x0, ttl 54, id 57511, offset 0, flags [DF], proto TCP (6), length 814)
j.gtld-servers.net.domain > hk.41221: Flags [P.], cksum 0xab7f (correct), seq 1:775, ack 42, win 65535, length 77422957- q: A? google.com. 0/8/9 ns: google.com. NS ns2.google.com., google.com. NS ns1.google.com., google.com. NS ns3.google.com., google.com. NS ns4.google.com., CK0POJMG874LJREF7EFN8430QVIT8BSM.com. Type50, CK0POJMG874LJREF7EFN8430QVIT8BSM.com. RRSIG, S848U70KJDCTE8UH1N07QH2EK7LNOUC6.com. Type50, S848U70KJDCTE8UH1N07QH2EK7LNOUC6.com. RRSIG ar: ns2.google.com. AAAA 2001:4860:4802:34::a, ns2.google.com. A 216.239.34.10, ns1.google.com. AAAA 2001:4860:4802:32::a, ns1.google.com. A 216.239.32.10, ns3.google.com. AAAA 2001:4860:4802:36::a, ns3.google.com. A 216.239.36.10, ns4.google.com. AAAA 2001:4860:4802:38::a, ns4.google.com. A 216.239.38.10, . OPT UDPsize=4096 DO (772)
22:17:58.488994 IP (tos 0x0, ttl 64, id 30334, offset 0, flags [DF], proto TCP (6), length 40)
hk.41221 > j.gtld-servers.net.domain: Flags [.], cksum 0x57b0 (incorrect -> 0xb01d), seq 42, ack 775, win 43344, length 0
22:17:58.489383 IP (tos 0x0, ttl 64, id 9006, offset 0, flags [none], proto UDP (17), length 67)
hk.41589 > ns4.google.com.domain: [bad udp cksum 0x4781 -> 0x1bcb!] 48541 [1au] A? google.com. ar: . OPT UDPsize=512 DO (39)
22:17:58.489427 IP (tos 0x0, ttl 64, id 30335, offset 0, flags [DF], proto TCP (6), length 40)
hk.41221 > j.gtld-servers.net.domain: Flags [F.], cksum 0x57b0 (incorrect -> 0xb01c), seq 42, ack 775, win 43344, length 0
22:17:58.645265 IP (tos 0x0, ttl 54, id 57520, offset 0, flags [DF], proto TCP (6), length 40)
j.gtld-servers.net.domain > hk.41221: Flags [.], cksum 0x596d (correct), seq 775, ack 43, win 65535, length 0
22:17:58.645269 IP (tos 0x0, ttl 54, id 57521, offset 0, flags [DF], proto TCP (6), length 40)
j.gtld-servers.net.domain > hk.41221: Flags [F.], cksum 0x596c (correct), seq 775, ack 43, win 65535, length 0
22:17:58.645328 IP (tos 0x0, ttl 64, id 56815, offset 0, flags [DF], proto TCP (6), length 40)
hk.41221 > j.gtld-servers.net.domain: Flags [.], cksum 0xb01b (correct), seq 43, ack 776, win 43344, length 0
22:17:58.654219 IP (tos 0x0, ttl 44, id 2814, offset 0, flags [none], proto UDP (17), length 72)
ns4.google.com.domain > hk.41589: [udp sum ok] 48541*- q: A? google.com. 1/0/0 google.com. A 172.217.24.14 (44)
[root@hk ~]#
```Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/178Remove dead code from libraries2020-04-23T19:40:29ZOndřej SurýRemove dead code from librariesReview library functions being used in the BIND 9, and remove code that's not ever called.Review library functions being used in the BIND 9, and remove code that's not ever called.Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/179Implement Additional Truncated Response (draft-song-atr-large-resp-00)2024-02-23T07:41:06ZGhost UserImplement Additional Truncated Response (draft-song-atr-large-resp-00)Implement Additional Truncated Response: https://tools.ietf.org/html/draft-song-atr-large-resp-00Implement Additional Truncated Response: https://tools.ietf.org/html/draft-song-atr-large-resp-00https://gitlab.isc.org/isc-projects/bind9/-/issues/180Intermittent recursive resolver issues [socket.c:2135]2018-09-05T15:03:29ZGhost UserIntermittent recursive resolver issues [socket.c:2135]<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
Intermittent recursive resolver issues on an internal view. Introduced with 9.11.3.
### Steps to reproduce
n/a. Random queries seem to trigger, unable to reproduce manually for now.
### What is the current *bug* behavior?
Error log sees Unexpected Errors and Invalid Arguments.
### What is the expected *correct* behavior?
-
### Relevant configuration files
```
view "internal" {
match-clients { internal_hosts; trusted_hosts; };
minimal-responses yes;
recursion yes;
allow-recursion { internal_hosts; trusted_hosts; };
allow-query-cache { internal_hosts; trusted_hosts; };
include "/etc/bind/named.conf.default-zones";
query-source address 1.2.3.4;
query-source-v6 address 2001:aaaa::::2;
};
```
### Relevant logs and/or screenshots
```
Mar 26 11:36:22 edi named[726]: ../../../../lib/isc/unix/socket.c:2135: unexpected error:
Mar 26 11:36:22 edi named[726]: internal_send: 127.0.0.1#39187: Invalid argument
Mar 26 11:36:22 edi named[726]: client @0x7fd748027af0 127.0.0.1#39187 (mail.dovecot.fi): view internal: error sending response: invalid file
```
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)BIND-9.13.2https://gitlab.isc.org/isc-projects/bind9/-/issues/181Lurking RFCs2019-01-21T06:32:41ZTony FinchLurking RFCsIn lib/dns/tests/testdata/dst/ the RSA/DSA signature tests use copies of RFC 1035 (one of which is slightly modified) as test data. It might be a good idea to reconstruct these tests using a file with a less tricky licensing status.In lib/dns/tests/testdata/dst/ the RSA/DSA signature tests use copies of RFC 1035 (one of which is slightly modified) as test data. It might be a good idea to reconstruct these tests using a file with a less tricky licensing status.https://gitlab.isc.org/isc-projects/bind9/-/issues/182Update GeoIP support to new API (GeoLite2 from Maxmind)2021-01-08T09:46:56ZVicky Riskvicky@isc.orgUpdate GeoIP support to new API (GeoLite2 from Maxmind)### Description
Maxmind is discontinuing support for the version of their GeoIP db that is supported currently by BIND.
'At the beginning of April, 2018, we will cease updating the GeoLite Legacy downloadable databases. We will also ...### Description
Maxmind is discontinuing support for the version of their GeoIP db that is supported currently by BIND.
'At the beginning of April, 2018, we will cease updating the GeoLite Legacy downloadable databases. We will also disable free downloads of GeoLite Legacy databases from the geoipupdate program on that date.'
### Request
Please update the GeoIP support in BIND to work with the new API/schema. I did check their website and they are still providing a free community edition of the db, but the schema is new. (https://dev.maxmind.com/geoip/geoip2/geolite2/)
Excerpt from an email from a user:
Simple example for Australia and New Zealand that we use:
```
acl "ANZ" {
geoip country NZ;
geoip country AU;
};
view "ANZ" {
match-clients { key anzkey; !all_keys; ANZ; };
allow-notify { key anzkey; };
allow-transfer { key anzkey; };
server 192.999.888.77 { keys anzkey; };
zone "geo.xxx.com" {
type slave;
notify no;
file "/usr/local/etc/namedb/geo/ANZ.xxx";
masters { 127.0.0.1; };
};
zone "geo.yyy.com" {
type slave;
notify no;
file "/usr/local/etc/namedb/geo/ANZ.yyy";
masters { 127.0.0.1; };
};
};
```
We use GeoIP commercial database, so we rely on it, and it realy works. :)
It has the same schema but more data than free. The point is that MaxMind changed the schema and API for GeoIP2/GeoLite2,
so old function calls will not work with new shared libraries, so developers have to change headers and function calls.
Bind911 uses headers at lib/dns/geoip.c:
```
#include <GeoIP.h>
#include <GeoIPCity.h>
```
and calls like:
```
GeoIP_country_code_by*
GeoIP_country_name_by*
```
New maxmind libraries called "libmaxminddb" is replacement of old "GeoIP" shared libraries with new API:
headers:
```
#include <maxminddb.h>
```
Functions and data structures begin from MMDB_*.
Examples:
```
MMDB_lookup_string(&mmdb, ip_address, &gai_error, &mmdb_error);
MMDB_get_entry_data_list(&result.entry, &entry_data_list);
MMDB_dump_entry_data_list(stdout, entry_data_list, 2);
```
So, the API has changed dramaticaly.
### Links / references
MaxMind supported APIS: https://dev.maxmind.com/geoip/geoip2/downloadable/
## Notes
This new feature will be backported as to old release and the old GeoIP support will have to stay (`--with-geoip`). The two options will be mutually exclusive though. In the development branch, we will remove support for old GeoIP and only the new one will stay. Internally, the configuration should stay the same (even though this will require changes from the administrator anyway to put the new databases into their respective places).BIND 9.15.2Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/183Add dns_fixedname_initname()2018-04-10T22:17:16ZGhost UserAdd dns_fixedname_initname()The following pattern is repeated in many places in BIND code:
```c
dns_fixedname_t fixed;
dns_name_t *name;
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&name);
```
Let's add a helper function that does the equivalent:
```c...The following pattern is repeated in many places in BIND code:
```c
dns_fixedname_t fixed;
dns_name_t *name;
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&name);
```
Let's add a helper function that does the equivalent:
```c
dns_fixedname_t fixed;
dns_name_t *name;
name = dns_fixedname_initname(&fixed);
```
Implementation would be:
```c
dns_name_t *
dns_fixedname_initname(dns_fixedname_t *fixed) {
dns_fixedname_init(fixed);
return (dns_fixedname_name(fixed));
}
```https://gitlab.isc.org/isc-projects/bind9/-/issues/184Lock bucket mapping is broken in rbtdb.c when DNS_RBT_USEHASH is not defined2018-05-25T16:29:57ZGhost UserLock bucket mapping is broken in rbtdb.c when DNS_RBT_USEHASH is not definedLock bucket mapping is broken in `rbtdb.c` when `DNS_RBT_USEHASH` is not defined. It does case-sensitive hash computation in error, and so "Foo" and "foo" names map to different locks.Lock bucket mapping is broken in `rbtdb.c` when `DNS_RBT_USEHASH` is not defined. It does case-sensitive hash computation in error, and so "Foo" and "foo" names map to different locks.https://gitlab.isc.org/isc-projects/bind9/-/issues/185[CVE-2018-5737] serve-stale crash2021-03-31T12:02:44ZTony Finch[CVE-2018-5737] serve-stale crashOne of my recursive servers crashed messily this evening, logging more than a million lines of
```
27-Mar-2018 18:20:35.862 general: info: 105.91.84.115.in-addr.arpa resolver failure, stale answer used
[snip 100MB logs]
27-Mar-2018...One of my recursive servers crashed messily this evening, logging more than a million lines of
```
27-Mar-2018 18:20:35.862 general: info: 105.91.84.115.in-addr.arpa resolver failure, stale answer used
[snip 100MB logs]
27-Mar-2018 18:24:03.414 general: info: 105.91.84.115.in-addr.arpa resolver failure, stale answer used
27-Mar-2018 18:24:03.414 general: critical: rbtdb.c:2115: INSIST(!((void *)((node)->deadlink.prev) != (void *)(-1))) failed
27-Mar-2018 18:24:03.414 general: critical: exiting (due to assertion failure)
```
Earlier today I turned on serve-stale in production, so it did not last long before crashing!
I'm afraid I don't have the start of the logspam because I only keep 100MB logs, but the obvious query will reproduce the problem.
Tangentially related, I think the serve-stale logging needs work: it's very noisy, so it should be in its own category, and perhaps some of the messages should have at debugging rather than informational level...
Full configuration below. It's possibly of note that I have two views with a shared cache using attach-cache.
```
acl "blackhole" {
240.0.0.0/4;
};
acl "secure" {
"localhost";
131.111.56.56/32;
131.111.57.57/32;
2001:630:212:110::d:7a7/128;
2001:630:212:110:221:9bff:fe16:a526/128;
2001:630:212:110:646f:7461:742e:6174/128;
131.111.9.53/32;
131.111.9.73/32;
2001:630:212:8::d:aa/128;
2001:630:212:8::d:aaaa/128;
};
acl "loopback" {
127.0.0.0/8;
::1/128;
};
acl "cudn" {
127.0.0.0/8;
::1/128;
2001:630:210::/44;
2a00:1098:5::/48;
128.232.0.0/16;
129.169.0.0/16;
131.111.0.0/16;
192.18.195.0/24;
192.84.5.0/24;
192.153.213.0/24;
193.60.80.0/20;
193.63.252.0/23;
!172.31.0.0/16;
172.16.0.0/12;
10.128.0.0/9;
};
acl "isc" {
"ipreg";
key "university_of_cambridge-a1ec5f18.sns-pba.isc.org";
};
acl "secondaries" {
"cudn";
"isc";
key "tsig-cam-maths";
key "cam.ac.uk.feb2016.tsig.ic.ac.uk";
194.81.227.226/32;
2001:630:0:44::e2/128;
193.63.105.17/32;
2001:630:0:45::11/128;
193.63.106.103/32;
2001:630:0:46::67/128;
193.62.157.66/32;
2001:630:0:47::42/128;
93.93.130.49/32;
69.56.173.190/32;
2600:3c00::f03c:91ff:fe96:beac/128;
93.93.128.67/32;
2a00:1098:0:80:1000::10/128;
185.24.221.32/32;
2a02:2770:11:0:21a:4aff:febe:759b/128;
};
acl "ipreg" {
key "tsig-ipreg";
"secure";
};
controls {
inet 0.0.0.0 port 953 allow {
"secure";
};
inet :: port 953 allow {
"secure";
};
};
logging {
channel "log" {
file "../log/named.log" versions 10 size 10485760;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
category "default" {
"log";
};
category "cname" {
"default_debug";
};
category "dnssec" {
"default_debug";
};
category "lame-servers" {
"default_debug";
};
category "query-errors" {
"default_debug";
};
category "resolver" {
"default_debug";
};
category "security" {
"default_debug";
};
category "update-security" {
"default_debug";
};
};
masters "notify-isc" {
149.20.67.14 key "university_of_cambridge-a1ec5f18.sns-pba.isc.org";
199.6.0.100 key "university_of_cambridge-a1ec5f18.sns-pba.isc.org";
};
masters "notify-auth" {
2001:630:212:8::d:a0 key "tsig-ipreg";
2001:630:212:12::d:a1 key "tsig-ipreg";
2001:630:212:8::d:a2 key "tsig-ipreg";
2001:630:212:12::d:a3 key "tsig-ipreg";
};
masters "notify-rec" {
"notify-auth";
2001:630:212:8::d:92 key "tsig-ipreg";
2001:630:212:8::d:93 key "tsig-ipreg";
2001:630:212:8::d:94 key "tsig-ipreg";
2001:630:212:8::d:95 key "tsig-ipreg";
};
masters "master-ipreg" {
2001:630:212:8::d:aa key "tsig-ipreg";
};
masters "master-fanf" {
2001:630:212:110::d:7a7 key "tsig-fanf";
2001:630:212:110:646f:7461:742e:6174 key "tsig-fanf";
};
masters "master-cl" {
2001:630:212:200::d:a0;
128.232.0.19;
2001:630:212:200::d:a1;
128.232.0.18;
};
masters "master-eng" {
129.169.8.8;
129.169.8.9;
};
masters "master-maths" {
131.111.16.129;
131.111.16.30;
131.111.16.32;
};
masters "master-janet-rpz" {
2001:630:1:128::166;
194.82.174.166;
2001:630:1:12a::235;
194.83.56.235;
};
masters "master-imperial" {
2001:630:12:600:1::80 key "cam.ac.uk.feb2016.tsig.ic.ac.uk";
2001:630:12:600:1::81 key "cam.ac.uk.feb2016.tsig.ic.ac.uk";
2001:630:12:600:1::82 key "cam.ac.uk.feb2016.tsig.ic.ac.uk";
195.97.216.196 key "cam.ac.uk.feb2016.tsig.ic.ac.uk";
};
masters "master-salford" {
146.87.136.156;
146.87.136.157;
};
masters "master-york" {
144.32.129.200;
144.32.128.230;
};
masters "master-sanger" {
193.62.203.30;
};
masters "master-chiark" {
212.13.197.229;
};
masters "master-srcf" {
131.111.179.79;
};
masters "master-exim" {
2001:630:212:8::e:f0e key "tsig-cam-exim";
131.111.8.88 key "tsig-cam-exim";
2a02:898:31::53:0 key "tsig-cam-exim";
94.142.241.91 key "tsig-cam-exim";
2604:a880:800:a1::419:1001 key "tsig-cam-exim";
159.203.114.39 key "tsig-cam-exim";
};
options {
blackhole {
"blackhole";
};
directory "/home/named/run";
recursive-clients 12345;
server-id hostname;
tcp-clients 1234;
dnssec-validation auto;
max-cache-size 17179869184;
max-stale-ttl 3600;
no-case-compress {
"any";
};
rrset-order {
order random;
};
stale-answer-enable yes;
allow-query {
"cudn";
};
notify no;
zone-statistics full;
};
statistics-channels {
inet 0.0.0.0 port 8053 allow {
"cudn";
};
inet :: port 8053 allow {
"cudn";
};
};
view "main" {
match-destinations {
!131.111.9.99/32;
!2001:630:212:8::d:2/128;
!131.111.12.99/32;
!2001:630:212:12::d:3/128;
!131.111.9.118/32;
!2001:630:212:8::d:fff2/128;
!131.111.12.118/32;
!2001:630:212:12::d:fff3/128;
"any";
};
zone "1.2.0.0.3.6.0.1.0.0.2.ip6.arpa" {
type slave;
file "../zone/1.2.0.0.3.6.0.1.0.0.2.ip6.arpa";
masters {
"master-ipreg";
};
};
zone "10.in-addr.arpa" {
type slave;
file "../zone/10.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "111.131.in-addr.arpa" {
type slave;
file "../zone/111.131.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "145.111.131.in-addr.arpa" {
type slave;
file "../zone/145.111.131.in-addr.arpa";
masters {
"master-maths";
};
};
zone "16.111.131.in-addr.arpa" {
type slave;
file "../zone/16.111.131.in-addr.arpa";
masters {
"master-maths";
};
};
zone "16.172.in-addr.arpa" {
type slave;
file "../zone/16.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "169.129.in-addr.arpa" {
type slave;
file "../zone/169.129.in-addr.arpa";
masters {
"master-eng";
};
};
zone "17.111.131.in-addr.arpa" {
type slave;
file "../zone/17.111.131.in-addr.arpa";
masters {
"master-maths";
};
};
zone "17.172.in-addr.arpa" {
type slave;
file "../zone/17.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "18.111.131.in-addr.arpa" {
type slave;
file "../zone/18.111.131.in-addr.arpa";
masters {
"master-maths";
};
};
zone "18.172.in-addr.arpa" {
type slave;
file "../zone/18.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "19.172.in-addr.arpa" {
type slave;
file "../zone/19.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "195.18.192.in-addr.arpa" {
type slave;
file "../zone/195.18.192.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "2.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa" {
type slave;
file "../zone/2.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa";
masters {
"master-cl";
};
};
zone "20.111.131.in-addr.arpa" {
type slave;
file "../zone/20.111.131.in-addr.arpa";
masters {
"master-maths";
};
};
zone "20.172.in-addr.arpa" {
type slave;
file "../zone/20.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "21.172.in-addr.arpa" {
type slave;
file "../zone/21.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "213.153.192.in-addr.arpa" {
type slave;
file "../zone/213.153.192.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "22.172.in-addr.arpa" {
type slave;
file "../zone/22.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "23.172.in-addr.arpa" {
type slave;
file "../zone/23.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "232.128.in-addr.arpa" {
type slave;
file "../zone/232.128.in-addr.arpa";
masters {
"master-cl";
};
};
zone "24.111.131.in-addr.arpa" {
type slave;
file "../zone/24.111.131.in-addr.arpa";
masters {
"master-maths";
};
};
zone "24.172.in-addr.arpa" {
type slave;
file "../zone/24.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "25.172.in-addr.arpa" {
type slave;
file "../zone/25.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "252.63.193.in-addr.arpa" {
type slave;
file "../zone/252.63.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "253.63.193.in-addr.arpa" {
type slave;
file "../zone/253.63.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "26.172.in-addr.arpa" {
type slave;
file "../zone/26.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "27.172.in-addr.arpa" {
type slave;
file "../zone/27.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "28.172.in-addr.arpa" {
type slave;
file "../zone/28.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "29.172.in-addr.arpa" {
type slave;
file "../zone/29.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "30.172.in-addr.arpa" {
type slave;
file "../zone/30.172.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "5.0.0.0.8.9.0.1.0.0.a.2.ip6.arpa" {
type slave;
file "../zone/5.0.0.0.8.9.0.1.0.0.a.2.ip6.arpa";
masters {
"master-ipreg";
};
};
zone "5.84.192.in-addr.arpa" {
type slave;
file "../zone/5.84.192.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "80.60.193.in-addr.arpa" {
type slave;
file "../zone/80.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "81.60.193.in-addr.arpa" {
type slave;
file "../zone/81.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "82.60.193.in-addr.arpa" {
type slave;
file "../zone/82.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "83.60.193.in-addr.arpa" {
type slave;
file "../zone/83.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "84.60.193.in-addr.arpa" {
type slave;
file "../zone/84.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "85.60.193.in-addr.arpa" {
type slave;
file "../zone/85.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "86.60.193.in-addr.arpa" {
type slave;
file "../zone/86.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "87.60.193.in-addr.arpa" {
type slave;
file "../zone/87.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "88.60.193.in-addr.arpa" {
type slave;
file "../zone/88.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "89.60.193.in-addr.arpa" {
type slave;
file "../zone/89.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "90.60.193.in-addr.arpa" {
type slave;
file "../zone/90.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "91.60.193.in-addr.arpa" {
type slave;
file "../zone/91.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "92.60.193.in-addr.arpa" {
type slave;
file "../zone/92.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "93.60.193.in-addr.arpa" {
type slave;
file "../zone/93.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "94.60.193.in-addr.arpa" {
type slave;
file "../zone/94.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "95.60.193.in-addr.arpa" {
type slave;
file "../zone/95.60.193.in-addr.arpa";
masters {
"master-ipreg";
};
};
zone "block.arpa.cam.ac.uk" {
type slave;
file "../zone/block.arpa.cam.ac.uk";
masters {
"master-ipreg";
};
};
zone "botnetcc.rpz.spamhaus.org" {
type slave;
file "../zone/botnetcc.rpz.spamhaus.org";
masters {
"master-janet-rpz";
};
};
zone "cam.ac.uk" {
type slave;
file "../zone/cam.ac.uk";
masters {
"master-ipreg";
};
};
zone "cl.cam.ac.uk" {
type slave;
file "../zone/cl.cam.ac.uk";
masters {
"master-cl";
};
};
zone "cst.cam.ac.uk" {
type slave;
file "../zone/cst.cam.ac.uk";
masters {
"master-cl";
};
};
zone "damtp.cam.ac.uk" {
type slave;
file "../zone/damtp.cam.ac.uk";
masters {
"master-maths";
};
};
zone "dbl.rpz.spamhaus.org" {
type slave;
file "../zone/dbl.rpz.spamhaus.org";
masters {
"master-janet-rpz";
};
};
zone "dpmms.cam.ac.uk" {
type slave;
file "../zone/dpmms.cam.ac.uk";
masters {
"master-maths";
};
};
zone "drop.rpz.spamhaus.org" {
type slave;
file "../zone/drop.rpz.spamhaus.org";
masters {
"master-janet-rpz";
};
};
zone "eng.cam.ac.uk" {
type slave;
file "../zone/eng.cam.ac.uk";
masters {
"master-eng";
};
};
zone "in-addr.arpa.cam.ac.uk" {
type slave;
file "../zone/in-addr.arpa.cam.ac.uk";
masters {
"master-ipreg";
};
};
zone "in-addr.arpa.private.cam.ac.uk" {
type slave;
file "../zone/in-addr.arpa.private.cam.ac.uk";
masters {
"master-ipreg";
};
};
zone "malware-aggressive.rpz.spamhaus.org" {
type slave;
file "../zone/malware-aggressive.rpz.spamhaus.org";
masters {
"master-janet-rpz";
};
};
zone "malware.rpz.spamhaus.org" {
type slave;
file "../zone/malware.rpz.spamhaus.org";
masters {
"master-janet-rpz";
};
};
zone "maths.cam.ac.uk" {
type slave;
file "../zone/maths.cam.ac.uk";
masters {
"master-maths";
};
};
zone "newton.cam.ac.uk" {
type slave;
file "../zone/newton.cam.ac.uk";
masters {
"master-maths";
};
};
zone "passthru.arpa.cam.ac.uk" {
type slave;
file "../zone/passthru.arpa.cam.ac.uk";
masters {
"master-ipreg";
};
};
zone "private.cam.ac.uk" {
type slave;
file "../zone/private.cam.ac.uk";
masters {
"master-ipreg";
};
};
zone "srcf.net" {
type slave;
file "../zone/srcf.net";
masters {
"master-srcf";
};
};
zone "srcf.ucam.org" {
type slave;
file "../zone/srcf.ucam.org";
masters {
"master-srcf";
};
};
zone "statslab.cam.ac.uk" {
type slave;
file "../zone/statslab.cam.ac.uk";
masters {
"master-maths";
};
};
zone "ucam.org" {
type slave;
file "../zone/ucam.org";
masters {
"master-chiark";
};
};
response-policy {
zone "passthru.arpa.cam.ac.uk" policy passthru;
zone "block.arpa.cam.ac.uk" policy cname "block.dns.cam.ac.uk";
} break-dnssec yes max-policy-ttl 300 qname-wait-recurse no;
};
view "unfiltered" {
zone "1.2.0.0.3.6.0.1.0.0.2.ip6.arpa" {
in-view "main";
};
zone "10.in-addr.arpa" {
in-view "main";
};
zone "111.131.in-addr.arpa" {
in-view "main";
};
zone "145.111.131.in-addr.arpa" {
in-view "main";
};
zone "16.111.131.in-addr.arpa" {
in-view "main";
};
zone "16.172.in-addr.arpa" {
in-view "main";
};
zone "169.129.in-addr.arpa" {
in-view "main";
};
zone "17.111.131.in-addr.arpa" {
in-view "main";
};
zone "17.172.in-addr.arpa" {
in-view "main";
};
zone "18.111.131.in-addr.arpa" {
in-view "main";
};
zone "18.172.in-addr.arpa" {
in-view "main";
};
zone "19.172.in-addr.arpa" {
in-view "main";
};
zone "195.18.192.in-addr.arpa" {
in-view "main";
};
zone "2.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa" {
in-view "main";
};
zone "20.111.131.in-addr.arpa" {
in-view "main";
};
zone "20.172.in-addr.arpa" {
in-view "main";
};
zone "21.172.in-addr.arpa" {
in-view "main";
};
zone "213.153.192.in-addr.arpa" {
in-view "main";
};
zone "22.172.in-addr.arpa" {
in-view "main";
};
zone "23.172.in-addr.arpa" {
in-view "main";
};
zone "232.128.in-addr.arpa" {
in-view "main";
};
zone "24.111.131.in-addr.arpa" {
in-view "main";
};
zone "24.172.in-addr.arpa" {
in-view "main";
};
zone "25.172.in-addr.arpa" {
in-view "main";
};
zone "252.63.193.in-addr.arpa" {
in-view "main";
};
zone "253.63.193.in-addr.arpa" {
in-view "main";
};
zone "26.172.in-addr.arpa" {
in-view "main";
};
zone "27.172.in-addr.arpa" {
in-view "main";
};
zone "28.172.in-addr.arpa" {
in-view "main";
};
zone "29.172.in-addr.arpa" {
in-view "main";
};
zone "30.172.in-addr.arpa" {
in-view "main";
};
zone "5.0.0.0.8.9.0.1.0.0.a.2.ip6.arpa" {
in-view "main";
};
zone "5.84.192.in-addr.arpa" {
in-view "main";
};
zone "80.60.193.in-addr.arpa" {
in-view "main";
};
zone "81.60.193.in-addr.arpa" {
in-view "main";
};
zone "82.60.193.in-addr.arpa" {
in-view "main";
};
zone "83.60.193.in-addr.arpa" {
in-view "main";
};
zone "84.60.193.in-addr.arpa" {
in-view "main";
};
zone "85.60.193.in-addr.arpa" {
in-view "main";
};
zone "86.60.193.in-addr.arpa" {
in-view "main";
};
zone "87.60.193.in-addr.arpa" {
in-view "main";
};
zone "88.60.193.in-addr.arpa" {
in-view "main";
};
zone "89.60.193.in-addr.arpa" {
in-view "main";
};
zone "90.60.193.in-addr.arpa" {
in-view "main";
};
zone "91.60.193.in-addr.arpa" {
in-view "main";
};
zone "92.60.193.in-addr.arpa" {
in-view "main";
};
zone "93.60.193.in-addr.arpa" {
in-view "main";
};
zone "94.60.193.in-addr.arpa" {
in-view "main";
};
zone "95.60.193.in-addr.arpa" {
in-view "main";
};
zone "block.arpa.cam.ac.uk" {
in-view "main";
};
zone "botnetcc.rpz.spamhaus.org" {
in-view "main";
};
zone "cam.ac.uk" {
in-view "main";
};
zone "cl.cam.ac.uk" {
in-view "main";
};
zone "cst.cam.ac.uk" {
in-view "main";
};
zone "damtp.cam.ac.uk" {
in-view "main";
};
zone "dbl.rpz.spamhaus.org" {
in-view "main";
};
zone "dpmms.cam.ac.uk" {
in-view "main";
};
zone "drop.rpz.spamhaus.org" {
in-view "main";
};
zone "eng.cam.ac.uk" {
in-view "main";
};
zone "in-addr.arpa.cam.ac.uk" {
in-view "main";
};
zone "in-addr.arpa.private.cam.ac.uk" {
in-view "main";
};
zone "malware-aggressive.rpz.spamhaus.org" {
in-view "main";
};
zone "malware.rpz.spamhaus.org" {
in-view "main";
};
zone "maths.cam.ac.uk" {
in-view "main";
};
zone "newton.cam.ac.uk" {
in-view "main";
};
zone "passthru.arpa.cam.ac.uk" {
in-view "main";
};
zone "private.cam.ac.uk" {
in-view "main";
};
zone "srcf.net" {
in-view "main";
};
zone "srcf.ucam.org" {
in-view "main";
};
zone "statslab.cam.ac.uk" {
in-view "main";
};
zone "ucam.org" {
in-view "main";
};
attach-cache "main";
};
key "cam.ac.uk.feb2016.tsig.ic.ac.uk" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "tsig-ipreg" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "university_of_cambridge-a1ec5f18.sns-pba.isc.org" {
algorithm "hmac-sha512";
secret "????????????????????????????????????????????????????????????????????????????????????????";
};
key "tsig-cam-maths" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "tsig-cam-exim" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "tsig-fanf" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
server 157.83.102.245/32 {
send-cookie no;
};
server 157.83.102.246/32 {
send-cookie no;
};
server 157.83.126.245/32 {
send-cookie no;
};
server 157.83.126.246/32 {
send-cookie no;
};
server 43.242.49.158/32 {
send-cookie no;
};
server 113.209.232.218/32 {
send-cookie no;
};
server 63.150.72.5/32 {
send-cookie no;
};
server 2001:428::7/128 {
send-cookie no;
};
server 208.44.130.121/32 {
send-cookie no;
};
server 2001:428::8/128 {
send-cookie no;
};
server 172.16.3.0/24 {
bogus no;
};
server 0.0.0.0/8 {
bogus yes;
};
server 10.0.0.0/8 {
bogus yes;
};
server 100.64.0.0/10 {
bogus yes;
};
server 127.0.0.0/8 {
bogus yes;
};
server 169.254.0.0/16 {
bogus yes;
};
server 172.16.0.0/12 {
bogus yes;
};
server 192.0.0.0/24 {
bogus yes;
};
server 192.0.2.0/24 {
bogus yes;
};
server 192.88.99.0/24 {
bogus yes;
};
server 192.168.0.0/16 {
bogus yes;
};
server 198.18.0.0/15 {
bogus yes;
};
server 198.51.100.0/24 {
bogus yes;
};
server 203.0.113.0/24 {
bogus yes;
};
server 224.0.0.0/3 {
bogus yes;
};
server ::/3 {
bogus yes;
};
server 2001::/32 {
bogus yes;
};
server 2001:2::/48 {
bogus yes;
};
server 2001:10::/28 {
bogus yes;
};
server 2001:db8::/32 {
bogus yes;
};
server 2002::/16 {
bogus yes;
};
server 3000::/4 {
bogus yes;
};
server 4000::/2 {
bogus yes;
};
server 8000::/1 {
bogus yes;
};
```