root zone mirror + RPZ = fail
Summary
The combination of a root zone mirror and SpamHaus's bad-nameservers.host.dtq RPZ results in SERVFAIL (presumably DNSSEC validation failures) for things like www.cdc.gov and vpn-prod.courts.state.mn.us.
BIND version affected
I'm running bind9 1:9.18.24-0ubuntu5 on Ubuntu 24.04.
BIND 9.18.24-0ubuntu5-Ubuntu (Extended Support Version) <id:>
running on Linux x86_64 6.8.0-35-generic #35-Ubuntu SMP PREEMPT_DYNAMIC Mon May 20 15:51:52 UTC 2024
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/bind9-cIfWt2/bind9-9.18.24=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/bind9-cIfWt2/bind9-9.18.24=/usr/src/bind9-1:9.18.24-0ubuntu5 -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=3'
compiled by GCC 13.2.0
compiled with OpenSSL version: OpenSSL 3.0.13 30 Jan 2024
linked to OpenSSL version: OpenSSL 3.0.13 30 Jan 2024
compiled with libuv version: 1.48.0
linked to libuv version: 1.48.0
compiled with libnghttp2 version: 1.59.0
linked to libnghttp2 version: 1.59.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.3
linked to zlib version: 1.3
linked to maxminddb version: 1.9.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
- In
/etc/bind/named.conf.local
, add:
zone "." {
type mirror;
};
zone "bad-nameservers.host.dtq" {
type slave;
file "/var/cache/bind/bad-nameservers.host.dtq.hosts";
masters {
199.168.90.53;
199.168.90.52;
199.168.90.51;
};
allow-transfer { none; };
allow-query { none; };
notify no;
};
- In
/etc/bind/name.conf.options
, in theoptions
section, add:
response-policy {
zone "bad-nameservers.host.dtq";
} break-dnssec yes;
- Be allowed to download from SpamHaus, or copy over the contents of
/var/cache/bind/bad-nameservers.host.dtq.hosts
.
What is the current bug behavior?
$ dig www.cdc.gov @localhost
; <<>> DiG 9.18.24-0ubuntu5-Ubuntu <<>> www.cdc.gov @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58382
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 55215a27a64a1b18010000006675e938fafd2b2b1b1033ec (good)
;; QUESTION SECTION:
;www.cdc.gov. IN A
;; Query time: 507 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Fri Jun 21 15:57:28 CDT 2024
;; MSG SIZE rcvd: 68
Note that the other one times out:
$ dig vpn-prod.courts.state.mn.us @localhost
;; communications error to ::1#53: timed out
;; communications error to ::1#53: timed out
;; communications error to ::1#53: timed out
;; communications error to 127.0.0.1#53: timed out
; <<>> DiG 9.18.24-0ubuntu5-Ubuntu <<>> vpn-prod.courts.state.mn.us @localhost
;; global options: +cmd
;; no servers could be reached
What is the expected correct behavior?
It should look like this, which is what happens if either the root zone mirror or that specific RPZ zone is removed:
$ dig www.cdc.gov @localhost
; <<>> DiG 9.18.24-0ubuntu5-Ubuntu <<>> www.cdc.gov @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52042
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0e8b8dc9f39b3280010000006675eab545b1cb38d1a9b819 (good)
;; QUESTION SECTION:
;www.cdc.gov. IN A
;; ANSWER SECTION:
www.cdc.gov. 300 IN CNAME www.akam.cdc.gov.
www.akam.cdc.gov. 20 IN A 23.64.254.141
;; Query time: 582 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Fri Jun 21 16:03:49 CDT 2024
;; MSG SIZE rcvd: 114
; <<>> DiG 9.18.24-0ubuntu5-Ubuntu <<>> vpn-prod.courts.state.mn.us @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42971
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 5ae84013a7897f77010000006675eb48fa53c45cba8f4bc8 (good)
;; QUESTION SECTION:
;vpn-prod.courts.state.mn.us. IN A
;; ANSWER SECTION:
vpn-prod.courts.state.mn.us. 300 IN CNAME vpn-prod.gslb.courts.state.mn.us.
vpn-prod.gslb.courts.state.mn.us. 30 IN A 156.98.53.253
;; Query time: 350 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Fri Jun 21 16:06:16 CDT 2024
;; MSG SIZE rcvd: 146
Relevant configuration files
$ named-checkconf -px
options {
directory "/var/cache/bind";
listen-on-v6 {
"any";
};
dnssec-validation auto;
response-policy {
zone "bad-nameservers.host.dtq";
} break-dnssec yes;
};
zone "." {
type mirror;
};
zone "bad-nameservers.host.dtq" {
type slave;
file "/var/cache/bind/bad-nameservers.host.dtq.hosts";
masters {
199.168.90.53;
199.168.90.52;
199.168.90.51;
};
allow-query {
"none";
};
allow-transfer {
"none";
};
notify no;
};
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
I don't see any of the relevant NS names in the bad-nameservers.host.dtq zone. I wish I could get RPZ logging working so it would show me which entry was matching.
Relevant logs
I have been unable to get any RPZ logging to work. I've tried sending it to a file or to syslog. I've tried all kinds of various examples from the Internet, but I just don't see anything specific to RPZ.