RPZ ignored when is CNAME target?

Phil Pennock unbound-users+phil at spodhuis.org
Fri Dec 18 00:30:38 UTC 2020


On 2020-12-17 at 22:22 +0100, Fredrik Pettai wrote:
> Yes, and you can add a *.example.org CNAME . entry in your RPZ zone file to catch anything “below” too.

That's a distinct issue; for my local RPZ zone, I do exactly that.  For
instance, I tend to be paranoid about public feeds of "deny access"
rules and make sure that my own IP ranges and domains are exempted,
always, so that I'm less likely to be locked out of my own stuff because
of a corrupted feed, so I do have:

  spodhuis.org        CNAME  rpz-passthru.
  *.spodhuis.org      CNAME  rpz-passthru.

Really the fact that www.example.org was a subdomain of the target of
the CNAME is a red herring.  If I have `example.org` and `*.example.org`
in the deny-list, and then someone registers `example.net` and sets it
up as a DNAME for `example.org`, that's a rather fast way get around
checks.

I've done what I should have done before and checked the spec; by my
reading of <https://tools.ietf.org/html/draft-vixie-dns-rpz-04>, section
5.1 seems to claim that if www.example.net is a CNAME pointing to
example.org, and example.org is set to return NXDOMAIN, then
www.example.net should return NXDOMAIN too.

Am I mis-reading 5.1, or is Unbound not (yet?) implementing this version
of the spec?

-Phil


More information about the Unbound-users mailing list