named-checkzone fail
Lee
ler762 at gmail.com
Wed Sep 11 02:10:48 UTC 2024
On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote:
>
> Comma is legal in a domain name. It isn’t legal in a host name which are a subset of domain names. Named-checkzone is working exactly as it should.
Except this isn't really a domain name - it's a whatever-it's-called
in a response policy zone. As far as I know there's only 4 valid
tokens that can come after CNAME in an RPZ:
; . RPZ processing returns NXDOMAIN (name does not exist)
; *. RPZ processing returns NODATA (name exists but no
answers returned)
; rpz-drop. No response is returned to the user query
; rpz-passthru. This identifies an exception (a whitelisted name)
I missed this the first time through, but the rpz.mozilla zone _is_
flagged as a response policy zone in named.conf
response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone "rpz.urlhaus"; }
break-dnssec yes
recursive-only no
qname-wait-recurse no;
It seems to me that named-checkzone should be using RPZ syntax instead
of the 'normal' domain name syntax. But it's not worth arguing
about.. the program doesn't check what I think needs checking so I'll
look elsewhere or write my own.
In any case, thanks for the answer. Now that I know that
named-checkzone is working correctly I don't need to waste any more
time with it.
Best Regards,
Lee
>
> If the current origin is example.com. then comma expands to ,.example.com. as it is treaded as a relative name.
>
> --
> Mark Andrews
>
> > On 11 Sep 2024, at 03:55, Lee <ler762 at gmail.com> wrote:
> >
> > I had a few typos in an RPZ file where I had a comma instead of a dot.
> > I tried using named-checkzone to find all the typos but it didn't
> > complain about anything!? Is that expected behavior?
> >
> > And a related question.. can anyone recommend a vim syntax file
> > checker for bind files?
> >
> > $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla
> > zone rpz.mozilla/IN: loaded serial 2024091001
> > OK
> >
> > $ cat /etc/bind/db.rpz-mozilla
> > $ORIGIN rpz.mozilla.
> > ; https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
> > ; return NXDOMAIN for use-application-dns.net name lookup
> > ; https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default
> > $TTL 604800
> >
> > @ IN SOA localhost. root.home.net. (
> > 2024091001 ; Serial
> > 604800 ; Refresh
> > 86400 ; Retry
> > 2419200 ; Expire
> > 604800 ) ; Minimum
> > IN NS localhost.
> >
> > ; tell Firefox to not use DOH (Dns Over Https)
> > use-application-dns.net CNAME .
> > broken-cname.net CNAME , <=============
> > COMMA not a period
> > ; --- end ---
> >
> > $ dig broken-cname.net
> >
> > ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 1432
> > ; COOKIE: ad32c4ae2224c66d0100000066e082286d1625c0e8f2160c (good)
> > ;; QUESTION SECTION:
> > ;broken-cname.net. IN A
> >
> > ;; ANSWER SECTION:
> > broken-cname.net. 5 IN CNAME ,.rpz.mozilla.
> >
> > ;; AUTHORITY SECTION:
> > rpz.mozilla. 604800 IN SOA localhost.
> > root.home.net. 2024091001 604800 86400 2419200 604800
> >
> > ;; ADDITIONAL SECTION:
> > rpz.mozilla. 1 IN SOA localhost.
> > root.home.net. 2024091001 604800 86400 2419200 604800
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Tue Sep 10 13:30:16 EDT 2024
> > ;; MSG SIZE rcvd: 194
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list