RPZ ignored when is CNAME target?
Phil Pennock
unbound-users+phil at spodhuis.org
Fri Dec 18 00:30:38 UTC 2020
On 2020-12-17 at 22:22 +0100, Fredrik Pettai wrote:
> Yes, and you can add a *.example.org CNAME . entry in your RPZ zone file to catch anything “below” too.
That's a distinct issue; for my local RPZ zone, I do exactly that. For
instance, I tend to be paranoid about public feeds of "deny access"
rules and make sure that my own IP ranges and domains are exempted,
always, so that I'm less likely to be locked out of my own stuff because
of a corrupted feed, so I do have:
spodhuis.org CNAME rpz-passthru.
*.spodhuis.org CNAME rpz-passthru.
Really the fact that www.example.org was a subdomain of the target of
the CNAME is a red herring. If I have `example.org` and `*.example.org`
in the deny-list, and then someone registers `example.net` and sets it
up as a DNAME for `example.org`, that's a rather fast way get around
checks.
I've done what I should have done before and checked the spec; by my
reading of <https://tools.ietf.org/html/draft-vixie-dns-rpz-04>, section
5.1 seems to claim that if www.example.net is a CNAME pointing to
example.org, and example.org is set to return NXDOMAIN, then
www.example.net should return NXDOMAIN too.
Am I mis-reading 5.1, or is Unbound not (yet?) implementing this version
of the spec?
-Phil
More information about the Unbound-users
mailing list