On Wed, Sep 11, 2024 at 3:15 AM Mark Andrews wrote: > > > On 11 Sep 2024, at 16:06, Lee wrote: > > > > On Tue, Sep 10, 2024 at 10:52 PM Mark Andrews wrote: > >> > >>> On 11 Sep 2024, at 12:10, Lee wrote: > >>> > >>> On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote: > >>>> > >>>> Comma is legal in a domain name. It isn’t legal in a host name which > >>>> are a subset of domain names. Named-checkzone is working exactly as it > >>>> should. > >>> > >>> Except this isn't really a domain name - it's a whatever-it's-called > >>> in a response policy zone. As far as I know there's only 4 valid > >>> tokens that can come after CNAME in an RPZ: > >>> ; . RPZ processing returns NXDOMAIN (name does not exist) > >>> ; *. RPZ processing returns NODATA (name exists but no > >>> answers returned) > >>> ; rpz-drop. No response is returned to the user query > >>> ; rpz-passthru. This identifies an exception (a whitelisted name) > > Well you are wrong.
I appreciate the correction. I totally forgot about returning a completely different name. > There are 4 special CNAME right hand sides. The rest can be > used to re-write the response. This is documented in chapter 6 of the ARM. > > https://bind9.readthedocs.io/en/v9.18.29/chapter6.html#dns-firewalls-and-response-policy-zones > > A response policy action can be one of the following: > • to synthesize a “domain does not exist” (NXDOMAIN) response > • to synthesize a “name exists but there are no records of the requested > type” (NODATA) response > • to drop the response > • to switch to TCP by sending a truncated UDP response that requires the > DNS client to try again with TCP which must be new. I don't remember this one. > • to replace/override the response’s data with specific data (provided > within the response policy zone) > • to exempt the response from further policy processing > > >>> I missed this the first time through, but the rpz.mozilla zone _is_ > >>> flagged as a response policy zone in named.conf > >>> response-policy { zone "rpz.mozilla"; zone "rpz.zone"; zone > >>> "rpz.urlhaus"; } > >>> break-dnssec yes > >>> recursive-only no > >>> qname-wait-recurse no; > > Well named-checkzone does not read named.conf. Named-checkconf reads > named.conf. > Even if named-checkzone did read named.conf it still wouldn’t have rejected > the zone. > > >>> It seems to me that named-checkzone should be using RPZ syntax instead > >>> of the 'normal' domain name syntax. But it's not worth arguing > >>> about.. the program doesn't check what I think needs checking so I'll > >>> look elsewhere or write my own. > > It is using RPZ syntax. If it wasn’t a valid RPZ zone it would have been > rejected by named. You seem to be missing the point - I was looking for something that would catch my typos. Comma being right next to period on my keyboard and them looking alike .. even when I'm wearing my "computer" glasses; I had a fair number of errors in my zone file that I wanted flagged so I could correct them. > >>> In any case, thanks for the answer. Now that I know that > >>> named-checkzone is working correctly I don't need to waste any more > >>> time with it. > >>> > >>> Best Regards, > >>> Lee > >> > >> The program is called named-checkzone not named-checkrpzzone and even then > >> it would not be an error because you really might want to add CNAMES to > >> ,.rpz.mozilla. > > > > Call it a failure of imagination on my part, but unless comma becomes > > a defined CNAME value in an RPZ file I just can't imagine me _wanting_ > > to add a comma for a CNAME value in an rpz file. > > CNAMEs *are* a defined part of a RPZ file. “,” is not more or less special > that “example.com.” or any other possible domain name on the RHS of the > CNAME. They fall within "to replace/override the response’s data with > specific data (provided within the response policy zone)”. Wasn't it this list that had a very long discussion about underscores in CNAMES? Eventually coming to the conclusion that underscores are perfectly find in CNAMES? So yes, technically a comma in a cname is valid .. but in my case **it's a typo** and I was hoping there was already a program written that would catch all my typos. .. checking my msg later: Wow! My notes have the discussion 10 year ago [dns-operations] about the underline in hostname https://lists.dns-oarc.net/pipermail/dns-operations/2014-May/011749.html that has this gem in it from Paul Vixie we can't righteously complain about middleboxes that think they know what UDP/53 payloads have to look like and thus prevent EDNS from being widely deployed, while at the same time saying that BIND's zone file parser knows what a host name ought to look like (even if you're right 99.9999% of the time). So.. to say it again > ... Now that I know that named-checkzone is working correctly I apologize if I came across as being critical of named-checkzone. > >> There is no way for the program to know. “.” and “*.” are > >> just “special” CNAMEs for the RPZ code to process differently to how it > >> processes other CNAMEs in the zone. > > > > You notice I'm not arguing. .. or suggesting how named-checkzone > > could be extended. right? > > No, you are arguing that is it broken. I’m saying it is not broken > and why it is not broken. Please take another look at the original post: -- I tried using named-checkzone to find all the typos but it didn't -- complain about anything!? Is that expected behavior? I appreciate the extended follow up & I'm _not_ saying that named-checkzone is broken. It doesn't do what I was hoping it would do but, at worst, that's a misunderstanding on my part. > >> We don’t have “do what I want” software we have “do what is programmed” > >> software. > > > > Ages ago I was a programmer & one group I was in used to joke about > > the "doit" processor that magically did <whatever it was> we were > > having problems with at the time. > > > > In any case, this took me so long because I've pretty much forgotten > > how to program. & while it's ugly as all get-out it seems to do the > > job: > > > > $ ./check-rpzzone /etc/bind/db.rpz-mozilla > > OhNoes!!! line 17 invalid CNAME value: broken-cname.net > > CNAME , > > Well ./check-rpzzone appears to be broken It's working exactly as designed -- flagging all my typos where I put a comma instead of a period. Thanks again, Lee > The CNAME is not invalid in a RPZ zone. Now having > a CNAME that points into a RPZ zone is a bit strange but it isn’t invalid > and it actually works. > > > $ ./check-rpzzone /etc/bind/db.rpz > > > > No complaints, so nothing beyond the 4 valid CNAME values in the file. > > Yay! I've got a lot more confidence that all of the typos have been > > corrected now :) > > > > Best Regards, > > Lee > > > >> > >> Mark > >> > >>>> If the current origin is example.com. then comma expands to > >>>> ,.example.com. as it is treaded as a relative name. > >>>> > >>>> -- > >>>> Mark Andrews > >>>> > >>>>> On 11 Sep 2024, at 03:55, Lee <ler...@gmail.com> wrote: > >>>>> > >>>>> I had a few typos in an RPZ file where I had a comma instead of a dot. > >>>>> I tried using named-checkzone to find all the typos but it didn't > >>>>> complain about anything!? Is that expected behavior? > >>>>> > >>>>> And a related question.. can anyone recommend a vim syntax file > >>>>> checker for bind files? > >>>>> > >>>>> $ named-checkzone rpz.mozilla /etc/bind/db.rpz-mozilla > >>>>> zone rpz.mozilla/IN: loaded serial 2024091001 > >>>>> OK > >>>>> > >>>>> $ cat /etc/bind/db.rpz-mozilla > >>>>> $ORIGIN rpz.mozilla. > >>>>> ; > >>>>> https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https > >>>>> ; return NXDOMAIN for use-application-dns.net name lookup > >>>>> ; > >>>>> https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default > >>>>> $TTL 604800 > >>>>> > >>>>> @ IN SOA localhost. root.home.net. ( > >>>>> 2024091001 ; Serial > >>>>> 604800 ; Refresh > >>>>> 86400 ; Retry > >>>>> 2419200 ; Expire > >>>>> 604800 ) ; Minimum > >>>>> IN NS localhost. > >>>>> > >>>>> ; tell Firefox to not use DOH (Dns Over Https) > >>>>> use-application-dns.net CNAME . > >>>>> broken-cname.net CNAME , <============= > >>>>> COMMA not a period > >>>>> ; --- end --- > >>>>> > >>>>> $ dig broken-cname.net > >>>>> > >>>>> ; <<>> DiG 9.16.50-Debian <<>> broken-cname.net > >>>>> ;; global options: +cmd > >>>>> ;; Got answer: > >>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62006 > >>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 > >>>>> > >>>>> ;; OPT PSEUDOSECTION: > >>>>> ; EDNS: version: 0, flags:; udp: 1432 > >>>>> ; COOKIE: ad32c4ae2224c66d0100000066e082286d1625c0e8f2160c (good) > >>>>> ;; QUESTION SECTION: > >>>>> ;broken-cname.net. IN A > >>>>> > >>>>> ;; ANSWER SECTION: > >>>>> broken-cname.net. 5 IN CNAME ,.rpz.mozilla. > >>>>> > >>>>> ;; AUTHORITY SECTION: > >>>>> rpz.mozilla. 604800 IN SOA localhost. > >>>>> root.home.net. 2024091001 604800 86400 2419200 604800 > >>>>> > >>>>> ;; ADDITIONAL SECTION: > >>>>> rpz.mozilla. 1 IN SOA localhost. > >>>>> root.home.net. 2024091001 604800 86400 2419200 604800 > >>>>> > >>>>> ;; Query time: 0 msec > >>>>> ;; SERVER: 127.0.0.1#53(127.0.0.1) > >>>>> ;; WHEN: Tue Sep 10 13:30:16 EDT 2024 > >>>>> ;; MSG SIZE rcvd: 194 > >>>>> -- > >>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > >>>>> from this list > >>>>> > >>>>> ISC funds the development of this software with paid support > >>>>> subscriptions. Contact us at https://www.isc.org/contact/ for more > >>>>> information. > >>>>> > >>>>> > >>>>> bind-users mailing list > >>>>> bind-users@lists.isc.org > >>>>> https://lists.isc.org/mailman/listinfo/bind-users > >>>> > >> > >> -- > >> Mark Andrews, ISC > >> 1 Seymour St., Dundas Valley, NSW 2117, Australia > >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > >> > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
