-3467. [bug] Added checks in dnssec-keygen and dnssec-settime to check for
- delete date < inactive date. [RT #31719]
+3468. [security] RPZ rules to generate A records (but not AAAA records)
+ could trigger an assertion failure when used in
+ conjunction with DNS64. [RT #32141]
+
+3467. [bug] Added checks in dnssec-keygen and dnssec-settime
+ to check for delete date < inactive date. [RT #31719]
--- 9.9.3b1 released ---
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
DNS_MESSAGEFLAG_AD);
query_putrdataset(client, &sigrdataset);
+ rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
rpz_log_rewrite(client, "", rpz_st->m.policy,
rpz_st->m.type, rpz_st->qname);
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
+ rpz_st = client->query.rpz_st;
+ if (rpz_st != NULL) {
+ /*
+ * Arrange for RPZ rewriting of any A records.
+ */
+ if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+ is_zone = rpz_st->q.is_zone;
+ rpz_st_clear(client);
+ }
dns64 = ISC_TRUE;
goto db_find;
}
sigrdataset = NULL;
fname = NULL;
type = qtype = dns_rdatatype_a;
+ rpz_st = client->query.rpz_st;
+ if (rpz_st != NULL) {
+ /*
+ * Arrange for RPZ rewriting of any A records.
+ */
+ if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+ is_zone = rpz_st->q.is_zone;
+ rpz_st_clear(client);
+ }
dns64 = ISC_TRUE;
goto db_find;
}
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
+ rpz_st = client->query.rpz_st;
+ if (rpz_st != NULL) {
+ /*
+ * Arrange for RPZ rewriting of any A records.
+ */
+ if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+ is_zone = rpz_st->q.is_zone;
+ rpz_st_clear(client);
+ }
dns64_exclude = dns64 = ISC_TRUE;
goto db_find;
}
ttl-more-than-600 700 A 5.6.7.8
ttl-less-than-minimum 1100 A 5.6.7.8
ttl-more-than-minimum 1300 A 5.6.7.8
+rpz 1500 A 99.99.99.99
dns64 2001:48::/48 { clients { 10.53.0.6; }; };
dns64 2001:56::/56 { clients { 10.53.0.6; }; };
dns64 2001:64::/64 { clients { 10.53.0.6; }; };
+
+ dns64 2001:96::/96 { clients { 10.53.0.7; }; };
+
+ response-policy { zone "rpz"; };
};
zone "." {
type hint;
file "../../common/root.hint";
};
+
+zone "rpz" {
+ type master;
+ file "rpz.db";
+};
--- /dev/null
+$TTL 86400 ; 1 day
+@ IN SOA rpz. noc.rpz. (
+ 1 ; serial
+ 86400 ; refresh (1 day)
+ 3600 ; retry (1 hour)
+ 2592000 ; expire (4 weeks 2 days)
+ 25200 ; minimum (7 hours)
+ )
+ NS @
+ IN A 10.53.0.2
+
+rpz.example IN A 10.10.10.10
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I: checking synthesis of AAAA from RPZ-remapped A ($n)"
+$DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
projects / thirdparty / bind9.git / commitdiff
