RPZ-NSDNAME does not work on subdomains
Summary
NSDNAME subdomains does not work on RPZ when parent nameserver should be blocked
BIND version used
BIND 9.11.13-RedHat-9.11.13-3.el8 (Extended Support Version) <id:ad4df16>
running on Linux x86_64 4.18.0-190.3.el8.x86_64 #1 SMP Sat Mar 21 10:42:44 UTC 2020
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 8.3.1 20191121 (Red Hat 8.3.1-5)
compiled with OpenSSL version: OpenSSL 1.1.1c FIPS 28 May 2019
linked to OpenSSL version: OpenSSL 1.1.1c FIPS 28 May 2019
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
block nameservers of parent zone in RPZ by RPZ-NSDNAME. Then expect all subdomains would not be accessible, but they work for some reason. It worked as expected on 9.8.2 (RHEL 6), but does not work in 9.11.
What is the current bug behavior?
when I do dig @localhost redhat.cz, it fetches answer without any filtering.
status: NOERROR
What is the expected correct behavior?
status: NXDOMAIN with badlist in authority section.
Relevant configuration files
have in options:
# in options:
response-policy { zone "badlist"; } min-ns-dots 0;
forwarders {
IP1;
IP2;
};
forward only;
Now badlist zone contains some records, interesting only
; NSDNAME policy records for NS servers for "cz." domain
a.ns.nic.cz.rpz-nsdname CNAME .
b.ns.nic.cz.rpz-nsdname CNAME .
c.ns.nic.cz.rpz-nsdname CNAME .
d.ns.nic.cz.rpz-nsdname CNAME .
Relevant logs and/or screenshots
Originally leftover from RHEL6 bug on missing NSIP and NSDNAME, later in RHEL7 bug https://bugzilla.redhat.com/show_bug.cgi?id=1228205
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> @localhost www.redhat.cz
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21339
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 554e5c8307afabd744f92b7d5e7a1f5be8e9d281a2b854ba (good)
;; QUESTION SECTION:
;www.redhat.cz. IN A
;; ANSWER SECTION:
www.redhat.cz. 64609 IN CNAME redhat.cz.
redhat.cz. 79156 IN A 209.132.183.105
But after dig @localhost ns cz
is run, it suddenly starts to work as was expected. However no warning was emitted in log. No warning was found in ARM as well. According to my understanding, https://kb.isc.org/docs/aa-00862 suggests it is unreliable, but not that it should not work at all. It seems to be unrelated to authoritative and glue differences mentioned there.
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> @localhost www.redhat.cz
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61035
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 37d288d12765b603133dac2f5e7a1f5bff4a996d53b9ef1d (good)
;; QUESTION SECTION:
;www.redhat.cz. IN A
;; ADDITIONAL SECTION:
badlist. 3600 IN SOA localhost.local. hostmaster.local. 1 3600 900 2592000 7200
;; Query time: 47 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Mar 24 10:55:23 EDT 2020
;; MSG SIZE rcvd: 139
Possible fixes
Explain in documentation forwarders will not work with NSDNAME, since they are not iteration from bottom to upwards. Or make it working.