mock recursive dns via RPZ

alexzorin · alexzorin · commit 3146ea8513f7 · 2020-11-13T20:42:59.000+11:00
diff --git a/certbot-ci/certbot_integration_tests/assets/bind-config/conf/named.conf b/certbot-ci/certbot_integration_tests/assets/bind-config/conf/named.conf
@@ -5,28 +5,40 @@ options {
   listen-on { any; };
   listen-on-v6 { any; };
 
-  // Not allowing recursion to prevent query leaks to the internet.
-  // This should be okay for Pebble because it only makes queries to the authoritative
-  // zone, but perhaps not for Boulder which will do e.g. CAA tree climbing.
-  // In the latter case, we might need to write an RPZ to do some local responses.
-  allow-recursion {
-    none;
-  };
-
-  allow-transfer {
-    none;
-  };
-
-  allow-update {
-    none;
-  };
+  // We are allowing BIND to service recursive queries, but only in an extremely limimited sense
+  // where it is entirely disconnected from public DNS:
+  // - Iterative queries are disabled. Only forwarding to a non-existent forwarder.
+  // - The only recursive answers we can get (that will not be a SERVFAIL) will come from the
+  //   RPZ "mock-recursion" zone. Effectively this means we are mocking out the entirety of
+  //   public DNS.
+  allow-recursion { any; };       // BIND will only answer using RPZ if recursion is enabled
+  forwarders { 192.0.2.254; };    // Nobody is listening, this is TEST-NET-1
+  forward only;                   // Do NOT perform iterative queries from the root zone
+  dnssec-validation no;           // Do not bother fetching the root DNSKEY set (performance)
+  response-policy {               // All recursive queries will be served from here.
+    zone "mock-recursion"
+    log yes;
+  } recursive-only no             // Allow RPZs to affect authoritative zones too.
+    qname-wait-recurse no         // No real recursion.
+    nsip-wait-recurse no;         // No real recursion.
+
+  allow-transfer { none; };
+  allow-update { none; };
 };
 
 key "default-key." {
   algorithm hmac-sha512;
   secret "91CgOwzihr0nAVEHKFXJPQCbuBBbBI19Ks5VAweUXgbF40NWTD83naeg3c5y2MPdEiFRXnRLJxL6M+AfHCGLNw==";
 };
 
+zone "mock-recursion" {
+  type primary;
+  file "/var/lib/bind/rpz.mock-recursion";
+  allow-query {
+    none;
+  };
+};
+
 zone "example.com." {
   type primary;
   file "/var/lib/bind/db.example.com";
diff --git a/certbot-ci/certbot_integration_tests/assets/bind-config/zones/rpz.mock-recursion b/certbot-ci/certbot_integration_tests/assets/bind-config/zones/rpz.mock-recursion
@@ -0,0 +1,6 @@
+$TTL 3600
+
+@        SOA ns1.example.test. dummy.example.test. 1 12h 15m 3w 2h
+         NS  ns1.example.test.
+
+_acme-challenge.aliased.example   IN     CNAME   _acme-challenge.example.com.
