Hi, Fred! Thank for your reply and tests. The questions you ask are my questions too, just asked more professionally. Thanks for it :)
Okay, let's use only variant with trailing dot, thank you for clarification. I don't understand why your tests for "cname.example.com" and "cname.test.m3047.net" differ (first one returns only CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM. second one returns two RRs: CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET. ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128) In my test (I have BIND 9.11.3-1ubuntu1.9-Ubuntu) I have following named.conf: """ options { response-policy {zone "rpz"; }; } zone "rpz" { type master; file "/etc/bind/rpz.zone"; }; """ And rpz.zone: """ $TTL 1H @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) NS LOCALHOST. cname.domain.com CNAME test.domain.com. test.domain.com A 10.10.10.10 """ So I run "dig cname.domain.com @127.0.0.1" and result is """ ... ;; QUESTION SECTION: ;cname.domain.com. IN A ;; ANSWER SECTION: cname.domain.com. 5 IN CNAME test.domain.com. test.domain.com. 599 IN A 66.96.162.92 ;; AUTHORITY SECTION: . 5211 IN NS c.root-servers.net. . 5211 IN NS e.root-servers.net. . 5211 IN NS k.root-servers.net. . 5211 IN NS l.root-servers.net. . 5211 IN NS g.root-servers.net. . 5211 IN NS d.root-servers.net. . 5211 IN NS i.root-servers.net. . 5211 IN NS a.root-servers.net. . 5211 IN NS b.root-servers.net. . 5211 IN NS m.root-servers.net. . 5211 IN NS f.root-servers.net. . 5211 IN NS h.root-servers.net. . 5211 IN NS j.root-servers.net. ... """ (as for you in second test). And yes, resolving via RPZ suffix is working as well: # dig cname.domain.com.rpz @127.0.0.1 ; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> cname.domain.com.rpz @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20714 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 33d9dfa596759fe554fb08f15db08b141f084f760f479882 (good) ;; QUESTION SECTION: ;cname.domain.com.rpz. IN A ;; ANSWER SECTION: cname.domain.com.rpz. 3600 IN CNAME test.domain.com. test.domain.com. 5 IN A 10.10.10.10 ;; AUTHORITY SECTION: rpz. 3600 IN NS LOCALHOST. Andrey 23.10.2019, 21:49, "m3047" <m3...@m3047.net>: > Hi, so Andrey, > > Your output doesn't reflect what I would expect to see from an > RPZ-mediated query, but rather what I would expect to see if querying a > zone, such as the RPZ itself, directly. So I am not sure I understand your > question. > > To the broader ISC community: however, I'm confused by the response I'm > getting. Oddly enough dig is giving me the unexpected results, and > (Python) socket.getaddrinfo() does what I expect. It appears that CNAME > resolution within RPZ is escaping... > > On Wed, 23 Oct 2019, Andrey Geyn wrote: > >> Date: Wed, 23 Oct 2019 19:34:39 +0500 >> From: Andrey Geyn <andg...@yandex-team.ru> >> To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> >> Subject: Internal CNAME in RPZ >> >> Hello, I would like to set up RPZ with CNAME and A. There are two options: >> >> 1. >> cname.domain.com CNAME test.domain.com (without trailing dot) >> test.domain.com A 10.10.10.10 > > Trailing dot is needed. > >> 2. >> cname.domain.com CNAME test.domain.com. (with trailing dot) >> test.domain.com A 10.10.10.10 > > Yes I believe this to be correct. > >> # dig cname.domain.com @127.0.0.1 >> >> cname.domain.com. 5 IN CNAME test.domain.com. >> test.domain.com. 531 IN A 66.96.162.92 > > # net-dns.pl add rpz cname.example.com CNAME test.example.com. > # net-dns.pl add rpz test.example.com A 10.10.10.10 > > Here's the answer I didn't expect, from dig: > > # dig +short cname.example.com TEST.EXAMPLE.COM. > # dig +short test.example.com 10.10.10.10 > > It did not follow the CNAME chain. Here's what I expected, from > getaddrinfo(): > >>>> from socket import getaddrinfo >>>> getaddrinfo('cname.example.com',80) > > [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', > ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, > <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))] > > All the rest of the queries follow. The recursive resolver (at 10.0.0.220) > is running 9.12.3-p1. I tested with versions of dig up to and including > 9.12.3-p1 > > Notice that in the very first test below the AUTHORITY refers to > icann.org, but the ADDITIONAL (correctly) refers to my RPZ. I repeated > with a different domain with the rationale that example.com was > confounding results, and got something similar. > > Querying the RPZ directly, e.g. for cname.test.m3047.net.rpz1.m3047.net > does the reverse, looking up actual.test.m3047.net from the RPZ instead of > the real world. > > -- > > Fred Morris > > -- > > # dig cname.example.com > > ; <<>> DiG 9.8.3-P1 <<>> cname.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40161 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;cname.example.com. IN A > > ;; ANSWER SECTION: > CNAME.EXAMPLE.COM. 5 IN CNAME TEST.EXAMPLE.COM. > > ;; AUTHORITY SECTION: > EXAMPLE.COM. 3600 IN SOA ns.icann.org. > noc.dns.icann.org. 2019101506 7200 3600 1209600 3600 > > ;; ADDITIONAL SECTION: > rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. > 260 600 60 86400 600 > > ;; Query time: 1142 msec > ;; SERVER: 10.0.0.220#53(10.0.0.220) > ;; WHEN: Wed Oct 23 09:03:34 2019 > ;; MSG SIZE rcvd: 209 > > # dig test.example.com > > ; <<>> DiG 9.8.3-P1 <<>> test.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28409 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;test.example.com. IN A > > ;; ANSWER SECTION: > TEST.EXAMPLE.COM. 5 IN A 10.10.10.10 > > ;; AUTHORITY SECTION: > rpz1.m3047.net. 900 IN NS LOCALHOST. > > ;; ADDITIONAL SECTION: > rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. > 260 600 60 86400 600 > > ;; Query time: 10 msec > ;; SERVER: 10.0.0.220#53(10.0.0.220) > ;; WHEN: Wed Oct 23 09:04:38 2019 > ;; MSG SIZE rcvd: 162 > > # dig cname.example.com.rpz1.m3047.net > > ; <<>> DiG 9.8.3-P1 <<>> cname.example.com.rpz1.m3047.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54923 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;cname.example.com.rpz1.m3047.net. IN A > > ;; ANSWER SECTION: > CNAME.EXAMPLE.COM.rpz1.m3047.net. 600 IN CNAME TEST.EXAMPLE.COM. > TEST.EXAMPLE.COM. 5 IN A 10.10.10.10 > > ;; AUTHORITY SECTION: > rpz1.m3047.net. 900 IN NS LOCALHOST. > > ;; ADDITIONAL SECTION: > rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. > 260 600 60 86400 600 > > ;; Query time: 8 msec > ;; SERVER: 10.0.0.220#53(10.0.0.220) > ;; WHEN: Wed Oct 23 09:07:46 2019 > ;; MSG SIZE rcvd: 224 > > Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52) > [Clang 6.0 (clang-600.0.57)] on darwin > Type "help", "copyright", "credits" or "license" for more information. >>>> from socket import getaddrinfo >>>> getaddrinfo('cname.example.com',80) > > [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', > ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, > <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))] > > # net-dns.pl add rpz cname.test.m3047.net CNAME actual.test.m3047.net. > # net-dns.pl add rpz actual.test.m3047.net A 10.10.10.10 > > Note that *.m3047.net is wildcarded. > > # dig cname.test.m3047.net > > ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 > > ;; QUESTION SECTION: > ;cname.test.m3047.net. IN A > > ;; ANSWER SECTION: > CNAME.TEST.M3047.NET. 5 IN CNAME ACTUAL.TEST.M3047.NET. > ACTUAL.TEST.M3047.NET. 7200 IN A 209.221.140.128 > > ;; AUTHORITY SECTION: > m3047.net. 7200 IN NS dns1.encirca.net. > m3047.net. 7200 IN NS dns2.encirca.net. > > ;; ADDITIONAL SECTION: > rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. > 262 600 60 86400 600 > dns1.encirca.net. 97039 IN A 108.166.170.106 > dns2.encirca.net. 97039 IN A 64.62.200.132 > > ;; Query time: 178 msec > ;; SERVER: 10.0.0.220#53(10.0.0.220) > ;; WHEN: Wed Oct 23 09:25:08 2019 > ;; MSG SIZE rcvd: 249 > > Python 3.7.4 (v3.7.4:e09359112e, Jul 8 2019, 14:54:52) > [Clang 6.0 (clang-600.0.57)] on darwin > Type "help", "copyright", "credits" or "license" for more information. >>>> from socket import getaddrinfo >>>> getaddrinfo('cname.test.m3047.net',80) > > [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_DGRAM: 2>, 17, '', > ('10.10.10.10', 80)), (<AddressFamily.AF_INET: 2>, > <SocketKind.SOCK_STREAM: 1>, 6, '', ('10.10.10.10', 80))] > > # dig cname.test.m3047.net.rpz1.m3047.net > > ; <<>> DiG 9.8.3-P1 <<>> cname.test.m3047.net.rpz1.m3047.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61953 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;cname.test.m3047.net.rpz1.m3047.net. IN A > > ;; ANSWER SECTION: > CNAME.TEST.M3047.NET.rpz1.m3047.net. 600 IN CNAME ACTUAL.TEST.M3047.NET. > ACTUAL.TEST.M3047.NET. 5 IN A 10.10.10.10 > > ;; AUTHORITY SECTION: > rpz1.m3047.net. 900 IN NS LOCALHOST. > > ;; ADDITIONAL SECTION: > rpz1.m3047.net. 1 IN SOA DEV.NULL. M3047.M3047.NET. > 262 600 60 86400 600 > > ;; Query time: 8 msec > ;; SERVER: 10.0.0.220#53(10.0.0.220) > ;; WHEN: Wed Oct 23 09:41:29 2019 > ;; MSG SIZE rcvd: 235 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users