Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 633
    • Issues 633
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 87
    • Merge requests 87
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #1106
Closed
Open
Issue created Jun 25, 2019 by Michael McNally@McNally

Interaction between dns64 and RPZ can cause unexpected results

Summary

A support customer has reported to us that DNS64 and RPZ, when used in conjunction, can result in an unexpected answer.

Steps to reproduce

Per their instructions from the support ticket:

The short version: Steps:

  1. set up an rpz rule to return nodata for a zone ('foo.com' for example's sake)
  2. set up dns64
  3. dig @server foo.com A #notice the answer is noerror nodata, as we expect
  4. dig @server foo.com AAAA #after some time, we get a servfail (or sometimes NXDOMAIN, I have not pinned down why)

What is the current bug behavior?

Expected answer is nodata, per the rpz rule. Per customer, sometimes SERVFAIL is returned.

Relevant configuration files

They have provided a sample config for reproduction.

# named.conf

options {
        masterfile-format text;
        zone-statistics yes;
        version none;
        recursion yes;
        listen-on { 10.53.0.1; };
        dns64-server "example.localdomain.";
        dns64 64:ff9b::/96 {    }; 
        allow-recursion { any; };
        allow-transfer { !any; };
        transfer-format many-answers;
};

# default
view "DEFAULT" {  # default
    match-clients { any; };
    match-destinations { any; };
    response-policy {
        zone "local.com" policy Given;# priority 0
    } qname-wait-recurse no;
    zone "." in {
        type hint;
        file "named.cache._default";
    };
    zone "local.com" in { # local.com
        # default TTL = 28800;
	check-names warn;
        type master;
        database rbt;
        masterfile-format text;
        file "azd/db.local.com._default";
        allow-query { any; };
        notify yes;
    };
};
# db.local.com._default 

local.com.                                    28800 IN SOA      example.localdomain. please_set_email.absolutely.nowhere. 6 10800 3600 2419200 900
local.com.                                    28800 IN NS       example.localdomain.
a_rec.local.com.                              28800 IN A        123.123.123.111
foo.com.local.com.                            28800 IN CNAME    *.
a.dns64.com.local.com.                        28800 IN CNAME    *.
; named.cache._default 
;
; Internet Root Nameservers
;
$TTL 518400
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:BA3E::2:30
B.ROOT-SERVERS.NET.     3600000 IN      A       199.9.14.201
B.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:200::b
C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12
C.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2::c
D.ROOT-SERVERS.NET.     3600000 IN      A       199.7.91.13
D.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2d::d
E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10
E.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:a8::e
F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2F::F
G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4
G.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:12::d0d
H.ROOT-SERVERS.NET.     3600000 IN      A       198.97.190.53
H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::53
I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17
I.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fe::53
J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:C27::2:30
K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129
K.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7FD::1
L.ROOT-SERVERS.NET.     3600000 IN      A       199.7.83.42
L.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:9f::42
M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33
M.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:DC3::35
Assignee
Assign to
Time tracking