> On 11 Sep 2024, at 16:06, Lee <ler...@gmail.com> wrote: > > On Tue, Sep 10, 2024 at 10:52 PM Mark Andrews wrote: >> >>> On 11 Sep 2024, at 12:10, Lee wrote: >>> >>> On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote: >>>> >>>> Comma is legal in a domain name. It isn’t legal in a host name which are >>>> a subset of domain names. Named-checkzone is working exactly as it should. >>> >>> Except this isn't really a domain name - it's a whatever-it's-called >>> in a response policy zone. As far as I know there's only 4 valid >>> tokens that can come after CNAME in an RPZ: >>> ; . RPZ processing returns NXDOMAIN (name does not exist) >>> ; *. RPZ processing returns NODATA (name exists but no >>> answers returned) >>> ; rpz-drop. No response is returned to the user query >>> ; rpz-passthru. This identifies an exception (a whitelisted name)
Well you are wrong. There are 4 special CNAME right hand sides. The rest can be used to re-write the response. This is documented in chapter 6 of the ARM. https://bind9.readthedocs.io/en/v9.18.29/chapter6.html#dns-firewalls-and-response-policy-zones A response policy action can be one of the following: • to synthesize a “domain does not exist” (NXDOMAIN) response • to synthesize a “name exists but there are no records of the requested type” (NODATA) response • to drop the response • to switch to TCP by sending a truncated UDP response that requires the DNS client to try again with TCP • to replace/override the response’s data with specific data (provided within the response policy zone) • to exempt the response from further policy processing >>> I missed this the first time through, but the rpz.mozilla zone _is_ >>> flagged as a response policy zone in named.conf >>> response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone "rpz.urlhaus"; } >>> break-dnssec yes >>> recursive-only no >>> qname-wait-recurse no; Well named-checkzone does not read named.conf. Named-checkconf reads named.conf. Even if named-checkzone did read named.conf it still wouldn’t have rejected the zone. >>> It seems to me that named-checkzone should be using RPZ syntax instead >>> of the 'normal' domain name syntax. But it's not worth arguing >>> about.. the program doesn't check what I think needs checking so I'll >>> look elsewhere or write my own. It is using RPZ syntax. If it wasn’t a valid RPZ zone it would have been rejected by named. >>> In any case, thanks for the answer. Now that I know that >>> named-checkzone is working correctly I don't need to waste any more >>> time with it. >>> >>> Best Regards, >>> Lee >> >> The program is called named-checkzone not named-checkrpzzone and even then >> it would not be an error because you really might want to add CNAMES to >> ,.rpz.mozilla. > > Call it a failure of imagination on my part, but unless comma becomes > a defined CNAME value in an RPZ file I just can't imagine me _wanting_ > to add a comma for a CNAME value in an rpz file. CNAMEs *are* a defined part of a RPZ file. “,” is not more or less special that “example.com.” or any other possible domain name on the RHS of the CNAME. They fall within "to replace/override the response’s data with specific data (provided within the response policy zone)”. >> There is no way for the program to know. “.” and “*.” are >> just “special” CNAMEs for the RPZ code to process differently to how it >> processes other CNAMEs in the zone. > > You notice I'm not arguing. .. or suggesting how named-checkzone > could be extended. right? No, you are arguing that is it broken. I’m saying it is not broken and why it is not broken. >> We don’t have “do what I want” software we have “do what is programmed” >> software. > > Ages ago I was a programmer & one group I was in used to joke about > the "doit" processor that magically did <whatever it was> we were > having problems with at the time. > > In any case, this took me so long because I've pretty much forgotten > how to program. & while it's ugly as all get-out it seems to do the > job: > > $ ./check-rpzzone /etc/bind/db.rpz-mozilla > OhNoes!!! line 17 invalid CNAME value: broken-cname.net > CNAME , Well ./check-rpzzone appears to be broken if it is designed to process generic RPZ zones. The CNAME is not invalid in a RPZ zone. Now having a CNAME that points into a RPZ zone is a bit strange but it isn’t invalid and it actually works. > $ ./check-rpzzone /etc/bind/db.rpz > > No complaints, so nothing beyond the 4 valid CNAME values in the file. > Yay! I've got a lot more confidence that all of the typos have been > corrected now :) > > Best Regards, > Lee > >> >> Mark >> >>>> If the current origin is example.com. then comma expands to ,.example.com. >>>> as it is treaded as a relative name. >>>> >>>> -- >>>> Mark Andrews >>>> >>>>> On 11 Sep 2024, at 03:55, Lee <ler...@gmail.com> wrote: >>>>> >>>>> I had a few typos in an RPZ file where I had a comma instead of a dot. >>>>> I tried using named-checkzone to find all the typos but it didn't >>>>> complain about anything!? Is that expected behavior? >>>>> >>>>> And a related question.. can anyone recommend a vim syntax file >>>>> checker for bind files? >>>>> >>>>> $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla >>>>> zone rpz.mozilla/IN: loaded serial 2024091001 >>>>> OK >>>>> >>>>> $ cat /etc/bind/db.rpz-mozilla >>>>> $ORIGIN rpz.mozilla. >>>>> ; >>>>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https >>>>> ; return NXDOMAIN for use-application-dns.net name lookup >>>>> ; >>>>> https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default >>>>> $TTL 604800 >>>>> >>>>> @ IN SOA localhost. root.home.net. ( >>>>> 2024091001 ; Serial >>>>> 604800 ; Refresh >>>>> 86400 ; Retry >>>>> 2419200 ; Expire >>>>> 604800 ) ; Minimum >>>>> IN NS localhost. >>>>> >>>>> ; tell Firefox to not use DOH (Dns Over Https) >>>>> use-application-dns.net CNAME . >>>>> broken-cname.net CNAME , <============= >>>>> COMMA not a period >>>>> ; --- end --- >>>>> >>>>> $ dig broken-cname.net >>>>> >>>>> ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net >>>>> ;; global options: +cmd >>>>> ;; Got answer: >>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006 >>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 >>>>> >>>>> ;; OPT PSEUDOSECTION: >>>>> ; EDNS: version: 0, flags:; udp: 1432 >>>>> ; COOKIE: ad32c4ae2224c66d0100000066e082286d1625c0e8f2160c (good) >>>>> ;; QUESTION SECTION: >>>>> ;broken-cname.net. IN A >>>>> >>>>> ;; ANSWER SECTION: >>>>> broken-cname.net. 5 IN CNAME ,.rpz.mozilla. >>>>> >>>>> ;; AUTHORITY SECTION: >>>>> rpz.mozilla. 604800 IN SOA localhost. >>>>> root.home.net. 2024091001 604800 86400 2419200 604800 >>>>> >>>>> ;; ADDITIONAL SECTION: >>>>> rpz.mozilla. 1 IN SOA localhost. >>>>> root.home.net. 2024091001 604800 86400 2419200 604800 >>>>> >>>>> ;; Query time: 0 msec >>>>> ;; SERVER: 127.0.0.1#53(127.0.0.1) >>>>> ;; WHEN: Tue Sep 10 13:30:16 EDT 2024 >>>>> ;; MSG SIZE rcvd: 194 >>>>> -- >>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>>>> from this list >>>>> >>>>> ISC funds the development of this software with paid support >>>>> subscriptions. Contact us at https://www.isc.org/contact/ for more >>>>> information. >>>>> >>>>> >>>>> bind-users mailing list >>>>> bind-users@lists.isc.org >>>>> https://lists.isc.org/mailman/listinfo/bind-users >>>> >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >> -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
