From a7ec7eb6edaa71c3cc141879ce23c5369bbabf87 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 24 Jul 2019 04:53:13 +1000 Subject: [PATCH 1/2] check that bits 64..71 in a dns64 prefix are zero --- bin/tests/system/dns64/conf/bad10.conf | 3 +++ bin/tests/system/dns64/conf/bad11.conf | 3 +++ bin/tests/system/dns64/conf/bad12.conf | 3 +++ bin/tests/system/dns64/conf/bad13.conf | 3 +++ bin/tests/system/dns64/conf/bad14.conf | 3 +++ bin/tests/system/dns64/conf/bad15.conf | 3 +++ bin/tests/system/dns64/conf/bad16.conf | 3 +++ bin/tests/system/dns64/conf/bad17.conf | 3 +++ bin/tests/system/dns64/conf/bad18.conf | 3 +++ bin/tests/system/dns64/conf/bad19.conf | 3 +++ doc/arm/Bv9ARM-book.xml | 4 +++- lib/bind9/check.c | 7 +++++++ 12 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/dns64/conf/bad10.conf create mode 100644 bin/tests/system/dns64/conf/bad11.conf create mode 100644 bin/tests/system/dns64/conf/bad12.conf create mode 100644 bin/tests/system/dns64/conf/bad13.conf create mode 100644 bin/tests/system/dns64/conf/bad14.conf create mode 100644 bin/tests/system/dns64/conf/bad15.conf create mode 100644 bin/tests/system/dns64/conf/bad16.conf create mode 100644 bin/tests/system/dns64/conf/bad17.conf create mode 100644 bin/tests/system/dns64/conf/bad18.conf create mode 100644 bin/tests/system/dns64/conf/bad19.conf diff --git a/bin/tests/system/dns64/conf/bad10.conf b/bin/tests/system/dns64/conf/bad10.conf new file mode 100644 index 0000000000..efd5d20ae3 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad10.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:0100:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad11.conf b/bin/tests/system/dns64/conf/bad11.conf new file mode 100644 index 0000000000..0e420a5322 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad11.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:0200:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad12.conf b/bin/tests/system/dns64/conf/bad12.conf new file mode 100644 index 0000000000..539b184c54 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad12.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:0400:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad13.conf b/bin/tests/system/dns64/conf/bad13.conf new file mode 100644 index 0000000000..3728ecfc70 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad13.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:0800:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad14.conf b/bin/tests/system/dns64/conf/bad14.conf new file mode 100644 index 0000000000..c2ac4f9d98 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad14.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:1000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad15.conf b/bin/tests/system/dns64/conf/bad15.conf new file mode 100644 index 0000000000..357ae80684 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad15.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:2000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad16.conf b/bin/tests/system/dns64/conf/bad16.conf new file mode 100644 index 0000000000..5e17457f16 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad16.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:4000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad17.conf b/bin/tests/system/dns64/conf/bad17.conf new file mode 100644 index 0000000000..71966d2758 --- /dev/null +++ b/bin/tests/system/dns64/conf/bad17.conf @@ -0,0 +1,3 @@ +options { + dns64 0000:0000:0000:0000:8000:000f::/96 { }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad18.conf b/bin/tests/system/dns64/conf/bad18.conf new file mode 100644 index 0000000000..82fac1ad4e --- /dev/null +++ b/bin/tests/system/dns64/conf/bad18.conf @@ -0,0 +1,3 @@ +options { + dns64 ::/32 { suffix ::8000:0000:0000:0000; }; /* bits [64..71] MBZ */ +}; diff --git a/bin/tests/system/dns64/conf/bad19.conf b/bin/tests/system/dns64/conf/bad19.conf new file mode 100644 index 0000000000..79290c116d --- /dev/null +++ b/bin/tests/system/dns64/conf/bad19.conf @@ -0,0 +1,3 @@ +options { + dns64 ::/32 { suffix ::0100:0000:0000:0000; }; /* bits [64..71] MBZ */ +}; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 706fab661a..09dca7f4c1 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5148,7 +5148,9 @@ options { Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, - 64 and 96 as per RFC 6052. + 64 and 96 as per RFC 6052. Bits 64..71 inclusive must + be zero with the most significate bit of the prefix in + position 0. Additionally a reverse IP6.ARPA zone will be created for diff --git a/lib/bind9/check.c b/lib/bind9/check.c index cae5b9ceb1..976235626a 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -526,6 +526,13 @@ check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions, continue; } + if (na.type.in6.s6_addr[8] != 0) { + cfg_obj_log(map, logctx, ISC_LOG_ERROR, + "invalid prefix, bits [64..71] must be zero"); + result = ISC_R_FAILURE; + continue; + } + if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 && prefixlen != 56 && prefixlen != 64 && prefixlen != 96) { cfg_obj_log(map, logctx, ISC_LOG_ERROR, From d95ae93dd38212ecc6aedad106109e3875d9b7b1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 31 Jul 2019 17:08:55 +1000 Subject: [PATCH 2/2] add CHANGES --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index a52396e271..c90484780a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5273. [bug] Check that bits [64..71] of a dns64 prefix are zero. + [GL #1159] + 5272. [cleanup] Remove isc-config.sh script as the BIND 9 libraries are now purely internal. [GL #1123]