check that bits 64..71 in a dns64 prefix are zero

2025-08-30 22:15:20 +00:00 · 2019-07-24 04:53:13 +10:00
parent 06d8b1071d
commit a7ec7eb6ed
12 changed files with 40 additions and 1 deletions
--- a/bin/tests/system/dns64/conf/bad10.conf
+++ b/bin/tests/system/dns64/conf/bad10.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0100:000f::/96 { };  /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad11.conf
+++ b/bin/tests/system/dns64/conf/bad11.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0200:000f::/96 { }; /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad12.conf
+++ b/bin/tests/system/dns64/conf/bad12.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0400:000f::/96 { }; /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad13.conf
+++ b/bin/tests/system/dns64/conf/bad13.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0800:000f::/96 { }; /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad14.conf
+++ b/bin/tests/system/dns64/conf/bad14.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:1000:000f::/96 { }; /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad15.conf
+++ b/bin/tests/system/dns64/conf/bad15.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:2000:000f::/96 { }; /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad16.conf
+++ b/bin/tests/system/dns64/conf/bad16.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:4000:000f::/96 { }; /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad17.conf
+++ b/bin/tests/system/dns64/conf/bad17.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:8000:000f::/96 { }; /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad18.conf
+++ b/bin/tests/system/dns64/conf/bad18.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 ::/32 { suffix ::8000:0000:0000:0000; }; /* bits [64..71] MBZ */
+};
--- a/bin/tests/system/dns64/conf/bad19.conf
+++ b/bin/tests/system/dns64/conf/bad19.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 ::/32 { suffix ::0100:0000:0000:0000; }; /* bits [64..71] MBZ */
+};
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5148,7 +5148,9 @@ options {
 	      </para>
 	      <para>
 		Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
-		64 and 96 as per RFC 6052.
+		64 and 96 as per RFC 6052.  Bits 64..71 inclusive must
+		be zero with the most significate bit of the prefix in
+		position 0.
 	      </para>
 	      <para>
 		Additionally a reverse IP6.ARPA zone will be created for
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -526,6 +526,13 @@ check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 			continue;
 		}

+		if (na.type.in6.s6_addr[8] != 0) {
+			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+				 "invalid prefix, bits [64..71] must be zero");
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
 		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
 		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96) {
 			cfg_obj_log(map, logctx, ISC_LOG_ERROR,