When using unblock-lan-zones, you will more likely than not also need to
disable validation for these zones. The attached patch adds a new
configuration option, insecure-lan-zones, which adds all AS112 zones to
the list of insecure domains. Note that it moves the list of AS112
zones, which is currently hardcoded in services/localzone.c, into an
array in util/as112.c.
I hope I got the Makefile.in part right - it's pretty gross. Why don't
you use automake?
DES
--
Dag-Erling Smørgrav - d...@des.no
Index: Makefile.in
===================================================================
--- Makefile.in (revision 3613)
+++ Makefile.in (working copy)
@@ -96,7 +96,7 @@
# libunbound_wrap.lo if python libunbound wrapper enabled.
PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
-util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
+util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
@@ -114,7 +114,7 @@
validator/val_secalgo.c validator/val_sigcrypt.c \
validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
-msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
+as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \
outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
@@ -596,6 +596,7 @@
rm -f $(DEPEND_TMP) $(DEPEND_TMP2)
# Dependencies
+as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
@@ -703,7 +704,7 @@
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
$(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
@@ -822,7 +823,7 @@
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir}/util/as112.h
validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
Index: doc/example.conf.in
===================================================================
--- doc/example.conf.in (revision 3613)
+++ doc/example.conf.in (working copy)
@@ -517,7 +517,7 @@
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
- # if unbound is running service for the local host then it is useful
+ # If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
# for a network of computers, disabled is better and stops information
@@ -524,6 +524,10 @@
# leakage of local lan information.
# unblock-lan-zones: no
+ # The insecure-lan-zones option disables validation for
+ # these zones, as if they were all listed as domain-insecure.
+ # insecure-lan-zones: no
+
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
Index: doc/unbound.conf.5.in
===================================================================
--- doc/unbound.conf.5.in (revision 3613)
+++ doc/unbound.conf.5.in (working copy)
@@ -857,6 +857,11 @@
lookups should be filtered (RFC compliance), this also stops potential
data leakage about the local network to the upstream DNS servers.
.TP
+.B insecure\-lan\-zones: \fI<yesno>
+Default is disabled. If enabled, then reverse lookups in private
+address space are not validated. This is usually required whenever
+\fIunblock\-lan\-zones\fR is used.
+.TP
.B local\-zone: \fI<zone> <type>
Configure a local zone. The type determines the answer to give if
there is no match from local\-data. The types are deny, refuse, static,
Index: services/localzone.c
===================================================================
--- services/localzone.c (revision 3613)
+++ services/localzone.c (working copy)
@@ -51,6 +51,7 @@
#include "util/netevent.h"
#include "util/data/msgreply.h"
#include "util/data/msgparse.h"
+#include "util/as112.h"
struct local_zones*
local_zones_create(void)
@@ -592,6 +593,7 @@
lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
{
struct local_zone* z;
+ const char** zstr;
/* this list of zones is from RFC 6303 and RFC 7686 */
@@ -670,110 +672,14 @@
lock_rw_unlock(&z->lock);
}
- /* if unblock lan-zones, then do not add the zones below.
- * we do add the zones above, about 127.0.0.1, because localhost is
- * not on the lan. */
- if(cfg->unblock_lan_zones)
- return 1;
-
- /* block LAN level zones */
- if ( !add_as112_default(zones, cfg, "10.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "16.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "17.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "18.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "19.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "20.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "21.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "22.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "23.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "24.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "25.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "26.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "27.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "28.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "29.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "30.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "31.172.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "168.192.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "0.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "64.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "65.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "66.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "67.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "68.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "69.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "70.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "71.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "72.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "73.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "74.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "75.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "76.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "77.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "78.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "79.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "80.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "81.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "82.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "83.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "84.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "85.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "86.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "87.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "88.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "89.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "90.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "91.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "92.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "93.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "94.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "95.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "96.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "97.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "98.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "99.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "100.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "101.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "102.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "103.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "104.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "105.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "106.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "107.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "108.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "109.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "110.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "111.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "112.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "113.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "114.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "115.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "116.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "117.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "118.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "119.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "120.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "121.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "122.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "123.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "124.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "125.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "126.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "127.100.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "254.169.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "2.0.192.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "100.51.198.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "113.0.203.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "255.255.255.255.in-addr.arpa.") ||
- !add_as112_default(zones, cfg, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") ||
- !add_as112_default(zones, cfg, "d.f.ip6.arpa.") ||
- !add_as112_default(zones, cfg, "8.e.f.ip6.arpa.") ||
- !add_as112_default(zones, cfg, "9.e.f.ip6.arpa.") ||
- !add_as112_default(zones, cfg, "a.e.f.ip6.arpa.") ||
- !add_as112_default(zones, cfg, "b.e.f.ip6.arpa.") ||
- !add_as112_default(zones, cfg, "8.b.d.0.1.0.0.2.ip6.arpa.")) {
- log_err("out of memory adding default zone");
- return 0;
+ /* block AS112 zones, unless asked not to */
+ if(!cfg->unblock_lan_zones) {
+ for(zstr = as112_zones; *zstr; zstr++) {
+ if(!add_as112_default(zones, cfg, *zstr)) {
+ log_err("out of memory adding default zone");
+ return 0;
+ }
+ }
}
return 1;
}
Index: util/as112.c
===================================================================
--- util/as112.c (nonexistent)
+++ util/as112.c (working copy)
@@ -0,0 +1,137 @@
+/*
+ * util/as112.c - list of local zones.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "util/as112.h"
+
+static const char* as112_zone_array[] = {
+ "10.in-addr.arpa.",
+ "16.172.in-addr.arpa.",
+ "17.172.in-addr.arpa.",
+ "18.172.in-addr.arpa.",
+ "19.172.in-addr.arpa.",
+ "20.172.in-addr.arpa.",
+ "21.172.in-addr.arpa.",
+ "22.172.in-addr.arpa.",
+ "23.172.in-addr.arpa.",
+ "24.172.in-addr.arpa.",
+ "25.172.in-addr.arpa.",
+ "26.172.in-addr.arpa.",
+ "27.172.in-addr.arpa.",
+ "28.172.in-addr.arpa.",
+ "29.172.in-addr.arpa.",
+ "30.172.in-addr.arpa.",
+ "31.172.in-addr.arpa.",
+ "168.192.in-addr.arpa.",
+ "0.in-addr.arpa.",
+ "64.100.in-addr.arpa.",
+ "65.100.in-addr.arpa.",
+ "66.100.in-addr.arpa.",
+ "67.100.in-addr.arpa.",
+ "68.100.in-addr.arpa.",
+ "69.100.in-addr.arpa.",
+ "70.100.in-addr.arpa.",
+ "71.100.in-addr.arpa.",
+ "72.100.in-addr.arpa.",
+ "73.100.in-addr.arpa.",
+ "74.100.in-addr.arpa.",
+ "75.100.in-addr.arpa.",
+ "76.100.in-addr.arpa.",
+ "77.100.in-addr.arpa.",
+ "78.100.in-addr.arpa.",
+ "79.100.in-addr.arpa.",
+ "80.100.in-addr.arpa.",
+ "81.100.in-addr.arpa.",
+ "82.100.in-addr.arpa.",
+ "83.100.in-addr.arpa.",
+ "84.100.in-addr.arpa.",
+ "85.100.in-addr.arpa.",
+ "86.100.in-addr.arpa.",
+ "87.100.in-addr.arpa.",
+ "88.100.in-addr.arpa.",
+ "89.100.in-addr.arpa.",
+ "90.100.in-addr.arpa.",
+ "91.100.in-addr.arpa.",
+ "92.100.in-addr.arpa.",
+ "93.100.in-addr.arpa.",
+ "94.100.in-addr.arpa.",
+ "95.100.in-addr.arpa.",
+ "96.100.in-addr.arpa.",
+ "97.100.in-addr.arpa.",
+ "98.100.in-addr.arpa.",
+ "99.100.in-addr.arpa.",
+ "100.100.in-addr.arpa.",
+ "101.100.in-addr.arpa.",
+ "102.100.in-addr.arpa.",
+ "103.100.in-addr.arpa.",
+ "104.100.in-addr.arpa.",
+ "105.100.in-addr.arpa.",
+ "106.100.in-addr.arpa.",
+ "107.100.in-addr.arpa.",
+ "108.100.in-addr.arpa.",
+ "109.100.in-addr.arpa.",
+ "110.100.in-addr.arpa.",
+ "111.100.in-addr.arpa.",
+ "112.100.in-addr.arpa.",
+ "113.100.in-addr.arpa.",
+ "114.100.in-addr.arpa.",
+ "115.100.in-addr.arpa.",
+ "116.100.in-addr.arpa.",
+ "117.100.in-addr.arpa.",
+ "118.100.in-addr.arpa.",
+ "119.100.in-addr.arpa.",
+ "120.100.in-addr.arpa.",
+ "121.100.in-addr.arpa.",
+ "122.100.in-addr.arpa.",
+ "123.100.in-addr.arpa.",
+ "124.100.in-addr.arpa.",
+ "125.100.in-addr.arpa.",
+ "126.100.in-addr.arpa.",
+ "127.100.in-addr.arpa.",
+ "254.169.in-addr.arpa.",
+ "2.0.192.in-addr.arpa.",
+ "100.51.198.in-addr.arpa.",
+ "113.0.203.in-addr.arpa.",
+ "255.255.255.255.in-addr.arpa.",
+ "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
+ "d.f.ip6.arpa.",
+ "8.e.f.ip6.arpa.",
+ "9.e.f.ip6.arpa.",
+ "a.e.f.ip6.arpa.",
+ "b.e.f.ip6.arpa.",
+ "8.b.d.0.1.0.0.2.ip6.arpa.",
+ 0
+};
+
+const char* const* as112_zones = as112_zone_array;
Index: util/as112.h
===================================================================
--- util/as112.h (nonexistent)
+++ util/as112.h (working copy)
@@ -0,0 +1,41 @@
+/*
+ * util/as112.c - list of local zones.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef UTIL_AS112_H
+#define UTIL_AS112_H
+
+extern const char* const* as112_zones;
+
+#endif
Index: util/config_file.h
===================================================================
--- util/config_file.h (revision 3613)
+++ util/config_file.h (working copy)
@@ -289,8 +289,10 @@
struct config_strlist* local_zones_nodefault;
/** local data RRs configured */
struct config_strlist* local_data;
- /** unblock lan zones (reverse lookups for 10/8 and so on) */
+ /** unblock lan zones (reverse lookups for AS112 zones) */
int unblock_lan_zones;
+ /** insecure lan zones (don't validate AS112 zones) */
+ int insecure_lan_zones;
/** remote control section. enable toggle. */
int remote_control_enable;
Index: util/configlexer.lex
===================================================================
--- util/configlexer.lex (revision 3613)
+++ util/configlexer.lex (working copy)
@@ -321,6 +321,7 @@
local-data{COLON} { YDVAR(1, VAR_LOCAL_DATA) }
local-data-ptr{COLON} { YDVAR(1, VAR_LOCAL_DATA_PTR) }
unblock-lan-zones{COLON} { YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
+insecure-lan-zones{COLON} { YDVAR(1, VAR_INSECURE_LAN_ZONES) }
statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) }
statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) }
Index: util/configparser.y
===================================================================
--- util/configparser.y (revision 3613)
+++ util/configparser.y (working copy)
@@ -107,7 +107,8 @@
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
%token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
-%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES
+%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
+%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
%token VAR_INFRA_CACHE_MIN_RTT
%token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL
%token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH
@@ -182,7 +183,8 @@
server_log_queries | server_tcp_upstream | server_ssl_upstream |
server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
- server_so_reuseport | server_delay_close | server_unblock_lan_zones |
+ server_so_reuseport | server_delay_close |
+ server_unblock_lan_zones | server_insecure_lan_zones |
server_dns64_prefix | server_dns64_synthall |
server_infra_cache_min_rtt | server_harden_algo_downgrade |
server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
@@ -742,6 +744,16 @@
free($2);
}
;
+server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG
+ {
+ OUTYY(("P(server_insecure_lan_zones:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->insecure_lan_zones =
+ (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG
{
OUTYY(("P(server_rrset_cache_size:%s)\n", $2));
Index: validator/val_anchor.c
===================================================================
--- validator/val_anchor.c (revision 3613)
+++ validator/val_anchor.c (working copy)
@@ -48,6 +48,7 @@
#include "util/log.h"
#include "util/net_help.h"
#include "util/config_file.h"
+#include "util/as112.h"
#include "sldns/sbuffer.h"
#include "sldns/rrdef.h"
#include "sldns/str2wire.h"
@@ -1044,8 +1045,18 @@
anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
{
struct config_strlist* f;
+ const char** zstr;
char* nm;
sldns_buffer* parsebuf = sldns_buffer_new(65535);
+ if(cfg->insecure_lan_zones) {
+ for(zstr = as112_zones; *zstr; zstr++) {
+ if(!anchor_insert_insecure(anchors, *zstr)) {
+ log_err("error in insecure-lan-zones: %s", *zstr);
+ sldns_buffer_free(parsebuf);
+ return 0;
+ }
+ }
+ }
for(f = cfg->domain_insecure; f; f = f->next) {
if(!f->str || f->str[0] == 0) /* empty "" */
continue;
