> On 11 Sep 2024, at 12:10, Lee <ler...@gmail.com> wrote:
>
> On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote:
>>
>> Comma is legal in a domain name. It isn’t legal in a host name which are a
>> subset of domain names. Named-checkzone is working exactly as it should.
>
> Except this isn't really a domain name - it's a whatever-it's-called
> in a response policy zone. As far as I know there's only 4 valid
> tokens that can come after CNAME in an RPZ:
> ; . RPZ processing returns NXDOMAIN (name does not exist)
> ; *. RPZ processing returns NODATA (name exists but no
> answers returned)
> ; rpz-drop. No response is returned to the user query
> ; rpz-passthru. This identifies an exception (a whitelisted name)
>
> I missed this the first time through, but the rpz.mozilla zone _is_
> flagged as a response policy zone in named.conf
> response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone "rpz.urlhaus"; }
> break-dnssec yes
> recursive-only no
> qname-wait-recurse no;
>
> It seems to me that named-checkzone should be using RPZ syntax instead
> of the 'normal' domain name syntax. But it's not worth arguing
> about.. the program doesn't check what I think needs checking so I'll
> look elsewhere or write my own.
>
> In any case, thanks for the answer. Now that I know that
> named-checkzone is working correctly I don't need to waste any more
> time with it.
>
> Best Regards,
> Lee
The program is called named-checkzone not named-checkrpzzone and even then
it would not be an error because you really might want to add CNAMES to
,.rpz.mozilla. There is no way for the program to know. “.” and “*.” are
just “special” CNAMEs for the RPZ code to process differently to how it
processes other CNAMEs in the zone.
We don’t have “do what I want” software we have “do what is programmed”
software.
Mark
>> If the current origin is example.com. then comma expands to ,.example.com.
>> as it is treaded as a relative name.
>>
>> --
>> Mark Andrews
>>
>>> On 11 Sep 2024, at 03:55, Lee <ler...@gmail.com> wrote:
>>>
>>> I had a few typos in an RPZ file where I had a comma instead of a dot.
>>> I tried using named-checkzone to find all the typos but it didn't
>>> complain about anything!? Is that expected behavior?
>>>
>>> And a related question.. can anyone recommend a vim syntax file
>>> checker for bind files?
>>>
>>> $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla
>>> zone rpz.mozilla/IN: loaded serial 2024091001
>>> OK
>>>
>>> $ cat /etc/bind/db.rpz-mozilla
>>> $ORIGIN rpz.mozilla.
>>> ;
>>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
>>> ; return NXDOMAIN for use-application-dns.net name lookup
>>> ;
>>> https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default
>>> $TTL 604800
>>>
>>> @ IN SOA localhost. root.home.net. (
>>> 2024091001 ; Serial
>>> 604800 ; Refresh
>>> 86400 ; Retry
>>> 2419200 ; Expire
>>> 604800 ) ; Minimum
>>> IN NS localhost.
>>>
>>> ; tell Firefox to not use DOH (Dns Over Https)
>>> use-application-dns.net CNAME .
>>> broken-cname.net CNAME , <=============
>>> COMMA not a period
>>> ; --- end ---
>>>
>>> $ dig broken-cname.net
>>>
>>> ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 1432
>>> ; COOKIE: ad32c4ae2224c66d0100000066e082286d1625c0e8f2160c (good)
>>> ;; QUESTION SECTION:
>>> ;broken-cname.net. IN A
>>>
>>> ;; ANSWER SECTION:
>>> broken-cname.net. 5 IN CNAME ,.rpz.mozilla.
>>>
>>> ;; AUTHORITY SECTION:
>>> rpz.mozilla. 604800 IN SOA localhost.
>>> root.home.net. 2024091001 604800 86400 2419200 604800
>>>
>>> ;; ADDITIONAL SECTION:
>>> rpz.mozilla. 1 IN SOA localhost.
>>> root.home.net. 2024091001 604800 86400 2419200 604800
>>>
>>> ;; Query time: 0 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Tue Sep 10 13:30:16 EDT 2024
>>> ;; MSG SIZE rcvd: 194
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
>>> this list
>>>
>>> ISC funds the development of this software with paid support subscriptions.
>>> Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
