On Tue, Sep 10, 2024 at 10:52 PM Mark Andrews wrote:
>
> > On 11 Sep 2024, at 12:10, Lee wrote:
> >
> > On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote:
> >>
> >> Comma is legal in a domain name. It isn’t legal in a host name which are
> >> a subset of domain names. Named-checkzone is working exactly as it should.
> >
> > Except this isn't really a domain name - it's a whatever-it's-called
> > in a response policy zone. As far as I know there's only 4 valid
> > tokens that can come after CNAME in an RPZ:
> > ; . RPZ processing returns NXDOMAIN (name does not exist)
> > ; *. RPZ processing returns NODATA (name exists but no
> > answers returned)
> > ; rpz-drop. No response is returned to the user query
> > ; rpz-passthru. This identifies an exception (a whitelisted name)
> >
> > I missed this the first time through, but the rpz.mozilla zone _is_
> > flagged as a response policy zone in named.conf
> > response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone "rpz.urlhaus";
> > }
> > break-dnssec yes
> > recursive-only no
> > qname-wait-recurse no;
> >
> > It seems to me that named-checkzone should be using RPZ syntax instead
> > of the 'normal' domain name syntax. But it's not worth arguing
> > about.. the program doesn't check what I think needs checking so I'll
> > look elsewhere or write my own.
> >
> > In any case, thanks for the answer. Now that I know that
> > named-checkzone is working correctly I don't need to waste any more
> > time with it.
> >
> > Best Regards,
> > Lee
>
> The program is called named-checkzone not named-checkrpzzone and even then
> it would not be an error because you really might want to add CNAMES to
> ,.rpz.mozilla.
Call it a failure of imagination on my part, but unless comma becomes
a defined CNAME value in an RPZ file I just can't imagine me _wanting_
to add a comma for a CNAME value in an rpz file.
> There is no way for the program to know. “.” and “*.” are
> just “special” CNAMEs for the RPZ code to process differently to how it
> processes other CNAMEs in the zone.
You notice I'm not arguing. .. or suggesting how named-checkzone
could be extended. right?
> We don’t have “do what I want” software we have “do what is programmed”
> software.
Ages ago I was a programmer & one group I was in used to joke about
the "doit" processor that magically did <whatever it was> we were
having problems with at the time.
In any case, this took me so long because I've pretty much forgotten
how to program. & while it's ugly as all get-out it seems to do the
job:
$ ./check-rpzzone /etc/bind/db.rpz-mozilla
OhNoes!!! line 17 invalid CNAME value: broken-cname.net
CNAME ,
$ ./check-rpzzone /etc/bind/db.rpz
No complaints, so nothing beyond the 4 valid CNAME values in the file.
Yay! I've got a lot more confidence that all of the typos have been
corrected now :)
Best Regards,
Lee
>
> Mark
>
> >> If the current origin is example.com. then comma expands to ,.example.com.
> >> as it is treaded as a relative name.
> >>
> >> --
> >> Mark Andrews
> >>
> >>> On 11 Sep 2024, at 03:55, Lee <ler...@gmail.com> wrote:
> >>>
> >>> I had a few typos in an RPZ file where I had a comma instead of a dot.
> >>> I tried using named-checkzone to find all the typos but it didn't
> >>> complain about anything!? Is that expected behavior?
> >>>
> >>> And a related question.. can anyone recommend a vim syntax file
> >>> checker for bind files?
> >>>
> >>> $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla
> >>> zone rpz.mozilla/IN: loaded serial 2024091001
> >>> OK
> >>>
> >>> $ cat /etc/bind/db.rpz-mozilla
> >>> $ORIGIN rpz.mozilla.
> >>> ;
> >>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
> >>> ; return NXDOMAIN for use-application-dns.net name lookup
> >>> ;
> >>> https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default
> >>> $TTL 604800
> >>>
> >>> @ IN SOA localhost. root.home.net. (
> >>> 2024091001 ; Serial
> >>> 604800 ; Refresh
> >>> 86400 ; Retry
> >>> 2419200 ; Expire
> >>> 604800 ) ; Minimum
> >>> IN NS localhost.
> >>>
> >>> ; tell Firefox to not use DOH (Dns Over Https)
> >>> use-application-dns.net CNAME .
> >>> broken-cname.net CNAME , <=============
> >>> COMMA not a period
> >>> ; --- end ---
> >>>
> >>> $ dig broken-cname.net
> >>>
> >>> ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net
> >>> ;; global options: +cmd
> >>> ;; Got answer:
> >>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006
> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
> >>>
> >>> ;; OPT PSEUDOSECTION:
> >>> ; EDNS: version: 0, flags:; udp: 1432
> >>> ; COOKIE: ad32c4ae2224c66d0100000066e082286d1625c0e8f2160c (good)
> >>> ;; QUESTION SECTION:
> >>> ;broken-cname.net. IN A
> >>>
> >>> ;; ANSWER SECTION:
> >>> broken-cname.net. 5 IN CNAME ,.rpz.mozilla.
> >>>
> >>> ;; AUTHORITY SECTION:
> >>> rpz.mozilla. 604800 IN SOA localhost.
> >>> root.home.net. 2024091001 604800 86400 2419200 604800
> >>>
> >>> ;; ADDITIONAL SECTION:
> >>> rpz.mozilla. 1 IN SOA localhost.
> >>> root.home.net. 2024091001 604800 86400 2419200 604800
> >>>
> >>> ;; Query time: 0 msec
> >>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> >>> ;; WHEN: Tue Sep 10 13:30:16 EDT 2024
> >>> ;; MSG SIZE rcvd: 194
> >>> --
> >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> >>> from this list
> >>>
> >>> ISC funds the development of this software with paid support
> >>> subscriptions. Contact us at https://www.isc.org/contact/ for more
> >>> information.
> >>>
> >>>
> >>> bind-users mailing list
> >>> bind-users@lists.isc.org
> >>> https://lists.isc.org/mailman/listinfo/bind-users
> >>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
