+3126. [security] Using DNAME record to generate replacements caused
+ RPZ to exit with a assertion failure. [RT #23766]
+
3125. [security] Using wildcard CNAME records as a replacement with
RPZ caused named to exit with a assertion failure.
[RT #24715]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.353.8.2.2.4 2011/06/09 00:56:10 marka Exp $ */
+/* $Id: query.c,v 1.353.8.2.2.5 2011/06/09 03:17:10 marka Exp $ */
/*! \file */
}
break;
case DNS_R_DNAME:
- policy = DNS_RPZ_POLICY_RECORD;
- break;
+ /*
+ * DNAME policy RRs have very few if any uses that are not
+ * better served with simple wildcards. Making the work would
+ * require complications to get the number of labels matched
+ * in the name or the found name itself to the main DNS_R_DNAME
+ * case in query_find(). So fall through to treat them as NODATA.
+ */
case DNS_R_NXRRSET:
policy = DNS_RPZ_POLICY_NODATA;
break;
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: test1,v 1.4 2011/01/13 19:30:41 each Exp $
+; $Id: test1,v 1.4.130.1 2011/06/09 03:17:11 marka Exp $
server 10.53.0.3 5300
+; NXDOMAIN
update add a0-1.tld2.bl. 300 CNAME .
-update add a3-1.tld2.bl. 300 CNAME *.
+
+; NODATA
+update add a1-1.tld2.bl. 300 CNAME *.
+; and no assert-botch
+update add a1-2.tld2.bl. 300 DNAME example.com.
+
update add *.sub1.tld2.bl. 300 A 12.12.12.12
send
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.3.130.2 2011/06/09 00:56:09 marka Exp $
+# $Id: tests.sh,v 1.3.130.3 2011/06/09 03:17:11 marka Exp $
# test response policy zones (RPZ)
start_test "RPZ QNAME rewrites" test1
nxdomain a0-1.tld2
-nodata a3-1.tld2
+nodata a1-1.tld2
+nodata a1-2.tld2
+nodata sub.a1-2.tld2
a12 a4-1.sub1.tld2
end_test
fi
status=`expr $status + $ret`
+
if test "$status" -eq 0; then
rm -f dig.out*
fi
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.478.8.2 2011/02/03 07:39:02 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.478.8.2.2.1 2011/06/09 03:17:11 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
<para>
The rules encoded in a response policy zone (RPZ) are applied
only to responses to queries that ask for recursion (RD=1).
- RPZs are normal DNS zones containing largely valid RRsets
- that can be queried normal if allowed.
+ RPZs are normal DNS zones containing RRsets
+ that can be queried normally if allowed.
It is usually best to restrict those queries with something like
<command>allow-query {none; };</command> or
<command>allow-query { 127.0.0.1; };</command>.
records resolved in the process of generating the response.
The owner name of a QNAME rule is the query name relativized
to the RPZ.
+ The records in a rewrite rule are usually A, AAAA, or special
+ CNAMEs, but can be any type except DNAME.
</para>
<para>
bad.domain.com A 10.0.0.1
AAAA 2001:2::1
ok.domain.com CNAME ok.domain.com.
+*.badzone.domain.com CNAME garden.example.com.
; IP rules rewriting all answers for 127/8 except 127.0.0.1
8.0.0.0.127.ip CNAME .
projects / thirdparty / bind9.git / commitdiff
