From: Mark Andrews Date: Tue, 23 Jul 2019 18:53:13 +0000 (+1000) Subject: check that bits 64..71 in a dns64 prefix are zero X-Git-Tag: v9.15.3~16^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7ec7eb6edaa71c3cc141879ce23c5369bbabf87;p=thirdparty%2Fbind9.git check that bits 64..71 in a dns64 prefix are zero --- diff --git a/bin/tests/system/dns64/conf/bad10.conf b/bin/tests/system/dns64/conf/bad10.conf new file mode 100644 index 00000000000..efd5d20ae33 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad10.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:0100:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad11.conf b/bin/tests/system/dns64/conf/bad11.conf new file mode 100644 index 00000000000..0e420a53220 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad11.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:0200:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad12.conf b/bin/tests/system/dns64/conf/bad12.conf new file mode 100644 index 00000000000..539b184c54e --- /dev/null +++ b/bin/tests/system/dns64/conf/bad12.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:0400:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad13.conf b/bin/tests/system/dns64/conf/bad13.conf new file mode 100644 index 00000000000..3728ecfc706 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad13.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:0800:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad14.conf b/bin/tests/system/dns64/conf/bad14.conf new file mode 100644 index 00000000000..c2ac4f9d989 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad14.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:1000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad15.conf b/bin/tests/system/dns64/conf/bad15.conf new file mode 100644 index 00000000000..357ae80684e --- /dev/null +++ b/bin/tests/system/dns64/conf/bad15.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:2000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad16.conf b/bin/tests/system/dns64/conf/bad16.conf new file mode 100644 index 00000000000..5e17457f166 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad16.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:4000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad17.conf b/bin/tests/system/dns64/conf/bad17.conf new file mode 100644 index 00000000000..71966d2758f --- /dev/null +++ b/bin/tests/system/dns64/conf/bad17.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:8000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad18.conf b/bin/tests/system/dns64/conf/bad18.conf new file mode 100644 index 00000000000..82fac1ad4ee --- /dev/null +++ b/bin/tests/system/dns64/conf/bad18.conf @@ -0,0 +1,3 @@ +options { + dns64 ::/32 { suffix ::8000:0000:0000:0000; }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad19.conf b/bin/tests/system/dns64/conf/bad19.conf new file mode 100644 index 00000000000..79290c116d1 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad19.conf @@ -0,0 +1,3 @@ +options { + dns64 ::/32 { suffix ::0100:0000:0000:0000; }; /* bits [64..71] MBZ */ +}; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 706fab661ac..09dca7f4c1e 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5148,7 +5148,9 @@ options { Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, - 64 and 96 as per RFC 6052. + 64 and 96 as per RFC 6052. Bits 64..71 inclusive must + be zero with the most significate bit of the prefix in + position 0. Additionally a reverse IP6.ARPA zone will be created for diff --git a/lib/bind9/check.c b/lib/bind9/check.c index cae5b9ceb1a..976235626a8 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -526,6 +526,13 @@ check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions, continue; } + if (na.type.in6.s6_addr[8] != 0) { + cfg_obj_log(map, logctx, ISC_LOG_ERROR, + "invalid prefix, bits [64..71] must be zero"); + result = ISC_R_FAILURE; + continue; + } + if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 && prefixlen != 56 && prefixlen != 64 && prefixlen != 96) { cfg_obj_log(map, logctx, ISC_LOG_ERROR,