Interaction between dns64 and RPZ can cause unexpected results
Summary
A support customer has reported to us that DNS64 and RPZ, when used in conjunction, can result in an unexpected answer.
Steps to reproduce
Per their instructions from the support ticket:
The short version: Steps:
- set up an rpz rule to return nodata for a zone ('foo.com' for example's sake)
- set up dns64
- dig @server foo.com A #notice the answer is noerror nodata, as we expect
- dig @server foo.com AAAA #after some time, we get a servfail (or sometimes NXDOMAIN, I have not pinned down why)
What is the current bug behavior?
Expected answer is nodata, per the rpz rule. Per customer, sometimes SERVFAIL is returned.
Relevant configuration files
They have provided a sample config for reproduction.
# named.conf
options {
masterfile-format text;
zone-statistics yes;
version none;
recursion yes;
listen-on { 10.53.0.1; };
dns64-server "example.localdomain.";
dns64 64:ff9b::/96 { };
allow-recursion { any; };
allow-transfer { !any; };
transfer-format many-answers;
};
# default
view "DEFAULT" { # default
match-clients { any; };
match-destinations { any; };
response-policy {
zone "local.com" policy Given;# priority 0
} qname-wait-recurse no;
zone "." in {
type hint;
file "named.cache._default";
};
zone "local.com" in { # local.com
# default TTL = 28800;
check-names warn;
type master;
database rbt;
masterfile-format text;
file "azd/db.local.com._default";
allow-query { any; };
notify yes;
};
};# db.local.com._default
local.com. 28800 IN SOA example.localdomain. please_set_email.absolutely.nowhere. 6 10800 3600 2419200 900
local.com. 28800 IN NS example.localdomain.
a_rec.local.com. 28800 IN A 123.123.123.111
foo.com.local.com. 28800 IN CNAME *.
a.dns64.com.local.com. 28800 IN CNAME *.; named.cache._default
;
; Internet Root Nameservers
;
$TTL 518400
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:BA3E::2:30
B.ROOT-SERVERS.NET. 3600000 IN A 199.9.14.201
B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:200::b
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2::c
D.ROOT-SERVERS.NET. 3600000 IN A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2d::d
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:a8::e
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2F::F
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:12::d0d
H.ROOT-SERVERS.NET. 3600000 IN A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::53
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7fe::53
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:C27::2:30
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7FD::1
L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:9f::42
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:DC3::35