Skip to content

RPZ wildcard passthru ignored

Summary

I have two response-policy zones configured. The first zone is a local whitelist with the policy passthru. The second zone is a local blacklist with the policy given. If the blacklist rpz zone contains www.example.com CNAME . (nxdomain) and the whitelist rpz zone contains a wildcard to whitelist *.example.com with *.example.com CNAME rpz-passthru. then this wildcard is ignored.

This has worked from 9.8 up to 9.14.5 and started not working in 9.14.6 and later (I tested up to 9.16.1)

BIND version used

BIND 9.14.6 (Stable Release) <id:efd3496>
running on Linux x86_64 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020
built by make with '--build=x86_64-koji-linux-gnu' '--host=x86_64-koji-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/named' '--bindir=/opt/named/bin' '--sbindir=/opt/named/sbin' '--sysconfdir=/etc' '--datadir=/opt/named/share' '--includedir=/opt/named/include' '--libdir=/opt/named/lib64' '--libexecdir=/opt/named/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/opt/named/share/man' '--infodir=/opt/named/share/info' '--exec-prefix=/opt/named' '--disable-static' '--enable-threads' '--enable-ipv6' '--enable-dnstap' '--disable-openssl-version-check' '--enable-largefile' '--with-tuning=large' '--with-randomdev=/dev/urandom' '--with-pic' '--with-libjson' '--with-libtool' '--with-libxml2' '--with-python-install-dir=/opt/named/usr/lib/python2.7/site-packages' '--with-docbook-xsl=/opt/named/share/sgml/docbook/xsl-stylesheets' '--includedir=/opt/named/include/bind9' 'build_alias=x86_64-koji-linux-gnu' 'host_alias=x86_64-koji-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'PKG_CONFIG_PATH=:/opt/named/lib64/pkgconfig:/opt/named/share/pkgconfig'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
compiled with OpenSSL version: OpenSSL 1.0.2k  26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with libjson-c version: 0.11
linked to libjson-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

  1. Install bind release 9.14.6
  2. Use the named.conf and whitelist.zone, blacklist.zone listed in the configuration file section.
  3. Start bind e.g. systemctl start named
  4. Use dig to check the behavior and check the logs
dig @::1 www.example.com

What is the current bug behavior?

The wildcard passthru entry in the whitelist.zone is ignored.

What is the expected correct behavior?

The wildcard passthru entry in the whitelist.zone is used.

Relevant configuration files

Used named.conf

logging {
	channel "default_debug" {
		file "named.log";
		severity info;
		print-time yes;
		print-severity yes;
		print-category yes;
	};
};
options {
	directory "/var/named/data";
	listen-on port 53 {
		127.0.0.1/32;
	};
	listen-on-v6 port 53 {
		::1/128;
	};
	dnssec-enable yes;
	dnssec-validation auto;
	empty-zones-enable yes;
	recursion yes;
	response-policy {
		zone "whitelist.zone" policy passthru;
		zone "blacklist.zone" policy given;
	} break-dnssec yes;
	allow-query {
		"localhost";
	};
	allow-transfer {
		"localhost";
	};
};
zone "whitelist.zone" {
	type master;
	file "whitelist.zone";
	allow-query {
		"none";
	};
};
zone "blacklist.zone" {
	type master;
	file "blacklist.zone";
	allow-query {
		"none";
	};
};

Used whitelist.zone

$ORIGIN whitelist.zone.
$TTL 3600
@		IN SOA ns.whitelist.zone.  hostmaster.whitelist.zone. 1 600 300 604800 3600
		IN NS	ns2.switch.ch.

example.com	CNAME rpz-passthru.
*.example.com	CNAME rpz-passthru.

Used blacklist.zone

$ORIGIN blacklist.zone.
$TTL 3600
@		IN SOA ns.blacklist.zone.  hostmaster.blacklist.zone. 1 600 300 604800 3600
		IN NS	ns2.switch.ch.

www.example.com	CNAME .
; test record
test.example.org CNAME .

Relevant logs and/or screenshots

Log entry on 9.14.6 where it breaks wildcards for passthru:

12-Feb-2020 15:12:30.481 rpz: info: client @0x7fd7200a2cb0 ::1#58427 (www.example.com): rpz QNAME Local-Data rewrite www.example.com/A/IN via www.example.com.blacklist.zone

Log entry on 9.14.5 where wildcard passthru still works:

12-Feb-2020 15:14:36.229 rpz: info: client @0x7fd5440a2cb0 ::1#45028 (www.example.com): rpz QNAME PASSTHRU rewrite www.example.com/A/IN via www.example.com.whitelist.zone

Possible fixes

It may has something to do with this change in 9.14.6

5282.	[bug]		Fixed a bug in searching for possible wildcard matches
			for query names in the RPZ summary database. [GL #1146]

https://ftp.isc.org/isc/bind9/9.14.6/CHANGES

Edited by Daniel Stirnimann
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information