Bind not returning RPZ entries when edns0 z-field set to 0x8000
Summary
We noticed that dns queries which get forwarded by coredns to our bind do not get the answers we expect. Queries against domains where we override the A record using a rpz get the regular A record as an answer instead of the overridden one.
By diffing direct queries against the bind using dig and queries forwarded over coredns we saw that coredns sets the edns0 z-field to 0x8000 instead of 0x0000 like dig. If i understand it correctly, 0x8000 means something like "allow dnssec security rr".
Read through some of the RFCs but I'm still not sure if this is a bug or expected behaviour to bypass the rpz in this case. So, sorry for wasting your time if this is indeed wanted.
BIND version used
1:9.11.5.P4+dfsg-5.1+deb10u5
Steps to reproduce
- Set up a bind with a db.rpz overriding the A record for a public domain name.
- Query against it with edns0 z-field set to 0x0000 -> you get the A record from the rpz
- Query against it with edns0 z-field set to 0x8000 -> you get the public A record
See the following db.rpz as an example:
$TTL 60
@ IN SOA localhost. root.localhost. (
1234567890 ; serial
1h ; refresh
30m ; retry
1w ; expiry
30m) ; minimum
IN NS localhost.
*.int.prod.nect.com A 192.168.13.37
I used the following two calls to craft the dns packets and watched the responses with wireshark, prolly there's also an option for dig to test it:
# z field set to 0x0000
echo -n -e "\x5b\x30\x01\x20\x00\x01\x00\x00\x00\x00\x00\x01\x10\x77\x61\x73\x64\x65\x6d\x66\x69\x63\x6b\x69\x73\x74\x64\x61\x73\x03\x69\x6e\x74\x04\x70\x72\x6f\x64\x04\x6e\x65\x63\x74\x03\x63\x6f\x6d\x00\x00\x01\x00\x01\x00\x00\x29\x10\x00\x00\x00\x00\x00\x00\x0c\x00\x0a\x00\x08\x00\xa9\xf9\xeb\x26\xc0\x68\x8b" | nc -u 127.0.0.1 53
# z field set to 0x8000
echo -n -e "\x5b\x30\x01\x20\x00\x01\x00\x00\x00\x00\x00\x01\x10\x77\x61\x73\x64\x65\x6d\x66\x69\x63\x6b\x69\x73\x74\x64\x61\x73\x03\x69\x6e\x74\x04\x70\x72\x6f\x64\x04\x6e\x65\x63\x74\x03\x63\x6f\x6d\x00\x00\x01\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x0c\x00\x0a\x00\x08\x00\xa9\xf9\xeb\x26\xc0\x68\x8b" | nc -u 127.0.0.1 53
Expected behaviour is to get the entry from the rpz, no matter what flag the client set.