RPZ ignored when is CNAME target?
Fredrik Pettai
pettai at sunet.se
Fri Dec 18 16:08:40 UTC 2020
> On 18 Dec 2020, at 01:30, Phil Pennock via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>
> On 2020-12-17 at 22:22 +0100, Fredrik Pettai wrote:
>> Yes, and you can add a *.example.org CNAME . entry in your RPZ zone file to catch anything “below” too.
>
> That's a distinct issue; for my local RPZ zone, I do exactly that. For
> instance, I tend to be paranoid about public feeds of "deny access"
> rules and make sure that my own IP ranges and domains are exempted,
> always, so that I'm less likely to be locked out of my own stuff because
> of a corrupted feed, so I do have:
>
> spodhuis.org CNAME rpz-passthru.
> *.spodhuis.org CNAME rpz-passthru.
>
> Really the fact that www.example.org was a subdomain of the target of
> the CNAME is a red herring. If I have `example.org` and `*.example.org`
> in the deny-list, and then someone registers `example.net` and sets it
> up as a DNAME for `example.org`, that's a rather fast way get around
> checks.
>
> I've done what I should have done before and checked the spec; by my
> reading of <https://tools.ietf.org/html/draft-vixie-dns-rpz-04>, section
> 5.1 seems to claim that if www.example.net is a CNAME pointing to
> example.org, and example.org is set to return NXDOMAIN, then
> www.example.net should return NXDOMAIN too.
>
> Am I mis-reading 5.1, or is Unbound not (yet?) implementing this version
> of the spec?
Ah, sorry, I thought you wanted to be sure to block *anything* below.
So you might have found an issue with Unbound's RPZ-implementation.
The initial work references an earlier version of this draft AFAIK...
I’d suggest you file this as an issue on Unbound’s Github page and let the devs look at it.
Re,
/P
More information about the Unbound-users
mailing list