RPZ-NSDNAME does not work on subdomains (#1701) · Issues · ISC Open Source Projects / BIND

RPZ-NSDNAME does not work on subdomains

Summary

NSDNAME subdomains does not work on RPZ when parent nameserver should be blocked

BIND version used

BIND 9.11.13-RedHat-9.11.13-3.el8 (Extended Support Version) <id:ad4df16>
running on Linux x86_64 4.18.0-190.3.el8.x86_64 #1 SMP Sat Mar 21 10:42:44 UTC 2020
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5)
compiled with OpenSSL version: OpenSSL 1.1.1c FIPS  28 May 2019
linked to OpenSSL version: OpenSSL 1.1.1c FIPS  28 May 2019
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

Steps to reproduce

block nameservers of parent zone in RPZ by RPZ-NSDNAME. Then expect all subdomains would not be accessible, but they work for some reason. It worked as expected on 9.8.2 (RHEL 6), but does not work in 9.11.

What is the current bug behavior?

when I do dig @localhost redhat.cz, it fetches answer without any filtering.

status: NOERROR

What is the expected correct behavior?

status: NXDOMAIN with badlist in authority section.

Relevant configuration files

have in options:

# in options:
response-policy { zone "badlist"; } min-ns-dots 0;

forwarders {
IP1;
IP2;
};
forward only;

Now badlist zone contains some records, interesting only

; NSDNAME policy records for NS servers for "cz." domain
a.ns.nic.cz.rpz-nsdname CNAME   .
b.ns.nic.cz.rpz-nsdname CNAME   .
c.ns.nic.cz.rpz-nsdname CNAME   .
d.ns.nic.cz.rpz-nsdname CNAME   .

Relevant logs and/or screenshots

Originally leftover from RHEL6 bug on missing NSIP and NSDNAME, later in RHEL7 bug https://bugzilla.redhat.com/show_bug.cgi?id=1228205

; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> @localhost www.redhat.cz
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21339
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 554e5c8307afabd744f92b7d5e7a1f5be8e9d281a2b854ba (good)
;; QUESTION SECTION:
;www.redhat.cz.			IN	A

;; ANSWER SECTION:
www.redhat.cz.		64609	IN	CNAME	redhat.cz.
redhat.cz.		79156	IN	A	209.132.183.105

But after dig @localhost ns cz is run, it suddenly starts to work as was expected. However no warning was emitted in log. No warning was found in ARM as well. According to my understanding, https://kb.isc.org/docs/aa-00862 suggests it is unreliable, but not that it should not work at all. It seems to be unrelated to authoritative and glue differences mentioned there.

; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> @localhost www.redhat.cz
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61035
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 37d288d12765b603133dac2f5e7a1f5bff4a996d53b9ef1d (good)
;; QUESTION SECTION:
;www.redhat.cz.			IN	A

;; ADDITIONAL SECTION:
badlist.		3600	IN	SOA	localhost.local. hostmaster.local. 1 3600 900 2592000 7200

;; Query time: 47 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Mar 24 10:55:23 EDT 2020
;; MSG SIZE  rcvd: 139

Possible fixes

Explain in documentation forwarders will not work with NSDNAME, since they are not iteration from bottom to upwards. Or make it working.