BIND 9.11 does not apply rpz policy zone in masterfile-format map
Summary
BIND 9.11 does not apply rpz policy zone in masterfile-format map
BIND version used
(Paste the output of named -V
.)
running on Linux x86_64 5.6.0-0.rc7.git0.2.fc32.x86_64 #1 SMP Mon Mar 23 18:38:45 UTC 2020
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=yes' '--with-libjson' '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 10.1.1 20200507 (Red Hat 10.1.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1d FIPS 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.2
linked to protobuf-c version: 1.3.2
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
Use simple rpz.db and named.conf nad load 'rpz' zone in map format.
What is the current bug behavior?
; <<>> DiG 9.11.19-RedHat-9.11.19-1.fc32 <<>> @localhost fedoraproject.org fedoraproject.org.rpz
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9119
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 18be2058b49777947fdfe6865ecd79a9b27b1b1a8af56411 (good)
;; QUESTION SECTION:
;fedoraproject.org. IN A
;; ANSWER SECTION:
fedoraproject.org. 60 IN A 209.132.181.16
fedoraproject.org. 60 IN A 8.43.85.67
fedoraproject.org. 60 IN A 209.132.181.15
fedoraproject.org. 60 IN A 8.43.85.73
fedoraproject.org. 60 IN A 209.132.190.2
fedoraproject.org. 60 IN A 152.19.134.198
fedoraproject.org. 60 IN A 67.219.144.68
fedoraproject.org. 60 IN A 152.19.134.142
fedoraproject.org. 60 IN A 140.211.169.196
fedoraproject.org. 60 IN A 140.211.169.206
;; Query time: 2088 msec
;; SERVER: ::1#53(::1)
;; WHEN: Út kvě 26 16:18:49 EDT 2020
;; MSG SIZE rcvd: 234
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29781
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 18be2058b4977794cd3f0de85ecd79a9f12d7b774321e5af (good)
;; QUESTION SECTION:
;fedoraproject.org.rpz. IN A
;; ANSWER SECTION:
fedoraproject.org.rpz. 10800 IN CNAME .
;; AUTHORITY SECTION:
. 10787 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020052602 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Út kvě 26 16:18:49 EDT 2020
;; MSG SIZE rcvd: 166
What is the expected correct behavior?
; <<>> DiG 9.11.19-RedHat-9.11.19-1.fc32 <<>> @localhost fedoraproject.org fedoraproject.org.rpz
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64203
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 23e5bc47d601101770fd1cec5ecd79e445cb2ae6747f2caf (good)
;; QUESTION SECTION:
;fedoraproject.org. IN A
;; ADDITIONAL SECTION:
rpz. 10800 IN SOA rpz. rpz.invalid. 0 86400 3600 604800 10800
;; Query time: 794 msec
;; SERVER: ::1#53(::1)
;; WHEN: Út kvě 26 16:19:48 EDT 2020
;; MSG SIZE rcvd: 124
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18813
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 23e5bc47d6011017372900095ecd79e44e185e5fce555b8c (good)
;; QUESTION SECTION:
;fedoraproject.org.rpz. IN A
;; ANSWER SECTION:
fedoraproject.org.rpz. 10800 IN CNAME .
;; AUTHORITY SECTION:
. 10791 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020052602 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Út kvě 26 16:19:48 EDT 2020
;; MSG SIZE rcvd: 166
Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
named-checkconf -px
.)
# named-checkconf -p
logging {
channel "default_debug" {
file "data/named.run";
severity dynamic;
};
category "rpz" {
"default_debug";
};
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
geoip-directory "/usr/share/GeoIP";
listen-on port 53 {
127.0.0.1/32;
};
listen-on-v6 port 53 {
::1/128;
};
managed-keys-directory "/var/named/dynamic";
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
session-keyfile "/run/named/session.key";
statistics-file "/var/named/data/named_stats.txt";
disable-algorithms "." {
"RSAMD5";
"DSA";
};
disable-ds-digests "." {
"GOST";
};
dnssec-enable yes;
dnssec-validation yes;
recursion yes;
response-policy {
zone "rpz";
};
allow-query {
"localhost";
};
};
managed-keys {
"." initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "rpz" IN {
type master;
file "rpz.db.raw";
masterfile-format raw;
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update {
"none";
};
};
; rpz.db
$TTL 3H
@ IN SOA @ rpz.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
nic.cz CNAME localhost.
fedoraproject.org CNAME .
redhat.com CNAME localhost.
download.proxmox.com CNAME na.cdn.proxmox.com.
Relevant logs and/or screenshots
Reported under Fedora bug 1833251.
Possible fixes
Version 9.16.3 was tested and does not have such issue.