Changeset 888

Timestamp:

06/20/25 15:31:19 (10 days ago)

Author:

Kris Deugau

Message:

/trunk

Commit tweak to CNAME validator and tinydns export to support RPZ zones,
in production for a couple of months now

File:

• trunk/DNSDB.pm (modified) (2 diffs)

trunk/DNSDB.pm

@@ -778 +778 @@
     return ('FAIL', $errstr) if ! _check_hostname_form(${$args{host}}, ${$args{rectype}}, $args{defrec}, $args{revrec});
   } else {
-    # CNAME target check - IP addresses not allowed.  Must be a more or less well-formed hostname.
-    return ('FAIL', "CNAME records cannot point directly to an IP address")
-      if ${$args{val}} =~ /^(?:[\d.]+|[0-9a-fA-F:]+)$/;
-
-    # Make sure target is a well-formed hostname
-    return ('FAIL', $errstr) if ! _check_hostname_form(${$args{val}}, ${$args{rectype}}, $args{defrec}, $args{revrec});
-
-    # Forcibly append the domain name if the hostname being added does not end with the current domain name
-    my $pname = ($args{defrec} eq 'y' ? 'DOMAIN' : $self->domainName($args{id}));
-    ${$args{host}} =~ s/\.*$/\.$pname/ if ${$args{host}} !~ /$pname$/i;
-
-    # CNAMEs can not be used for parent nodes;  just leaf nodes with no other record types
-    # Enforce this for the zone name
-    return ('FAIL', "The bare zone name may not be a CNAME") if ${$args{host}} eq $pname || ${$args{host}} =~ /^\@/;
+    # a bit expensive to put this here, but we need some kind of cheap flag for an RPZ zone with different rules
+    my $zname = $self->domainName($args{id});
+    if ($zname =~ /\.rpz$/) {
+      # RPZ domains consist almost entirely of CNAME records, and have special rules for their syntax
+      # From the Unbound doc:  https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html
+      # Supposedly other overrides are also valid
+      return ('FAIL', "Unsupported RPZ override ${$args{val}}")
+        unless ${$args{val}} =~ /^(?:\.|\*\.|rpz-passthru\.|rpz-drop\.|rpz-tcp-only\.)$/;
+      # Append the RPZ name
+      my $pname = ($args{defrec} eq 'y' ? 'DOMAIN' : $self->domainName($args{id}));
+      ${$args{host}} =~ s/\.*$/\.$pname/ if ${$args{host}} !~ /$pname$/i;
+    } else {
+      # CNAME target check - IP addresses not allowed.  Must be a more or less well-formed hostname.
+      return ('FAIL', "CNAME records cannot point directly to an IP address")
+        if ${$args{val}} =~ /^(?:[\d.]+|[0-9a-fA-F:]+)$/;
+
+      # Make sure target is a well-formed hostname
+      return ('FAIL', $errstr) if ! _check_hostname_form(${$args{val}}, ${$args{rectype}}, $args{defrec}, $args{revrec});
+
+      # Forcibly append the domain name if the hostname being added does not end with the current domain name
+      my $pname = ($args{defrec} eq 'y' ? 'DOMAIN' : $zname);
+      ${$args{host}} =~ s/\.*$/\.$pname/ if ${$args{host}} !~ /$pname$/i;
+
+      # CNAMEs can not be used for parent nodes;  just leaf nodes with no other record types
+      # Enforce this for the zone name
+      return ('FAIL', "The bare zone name may not be a CNAME") if ${$args{host}} eq $pname || ${$args{host}} =~ /^\@/;
 
 ##enhance:  Look up the passed value to see if it exists.  Ooo, fancy.
-    return ('FAIL', $errstr) if ! _check_hostname_form(${$args{val}}, ${$args{rectype}}, $args{defrec}, $args{revrec});
-  }
+      return ('FAIL', $errstr) if ! _check_hostname_form(${$args{val}}, ${$args{rectype}}, $args{defrec}, $args{revrec});
+    } # $zname !~ .rpz
+  } # revzone eq 'n'
 
   return ('OK','OK');
@@ -6962 +6975 @@
   elsif ($typemap{$type} eq 'CNAME') {
     ($host,$val) = __revswap($host,$val) if $revrec eq 'y';
+    if ($zone =~ /\.rpz$/) {
+      $val = '..' if $val eq '.';
+    }
     print $datafile "C$host:$val:$ttl:$stamp:$loc\n" or die $!;
   } # CNAME