[ISC-support #20070] Wildcards, literal asterisk labels, and RPZ zones
Summary
A literal asterisk in a RR label can be used to bypass RPZ records.
BIND version used
9.11.33-S1 (though I think this also affects 9.16 and 9.18)
Steps to reproduce
RPZ entries:
test.com CNAME .
*.test.com CNAME .
AND
test.com zone containing *.test.com {type} {value}
(must not be delegated)
OR
sub.*.test.com zone definition
Example test:
$ dig @0 test.sub.\*.test.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @0 test.sub.*.test.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62448
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.sub.*.test.com. IN A
;; ANSWER SECTION:
test.sub.*.test.com. 3600 IN A 127.0.0.1
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Wed Jan 26 16:47:19 EST 2022
;; MSG SIZE rcvd: 64
What is the current bug behavior?
Queries containing a literal asterisk (such as sub.*.test.com
or *.test.com
) will be answered, rather than caught by RPZ.
What is the expected correct behavior?
RPZ expected to catch the query, like so:
$ dig @0 sub.test.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @0 sub.test.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31154
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sub.test.com. IN A
;; ADDITIONAL SECTION:
localhost.rpz. 1 IN SOA localhost. postmaster.localhost. 2004052401 3600 1800 604800 3600
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Wed Jan 26 16:40:21 EST 2022
;; MSG SIZE rcvd: 110