Apply upstream r3619, r3620, r3621: add insecure-lan-zone option

Makefile.in

@@ -95,7 +95,7 @@ PYUNBOUND_SRC=
 # libunbound_wrap.lo if python libunbound wrapper enabled.
 PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
 COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
-util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
+util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
 util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
 iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
 iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
@@ -113,7 +113,7 @@ validator/val_neg.c validator/val_nsec3.c validator/val_nsec.c \
 validator/val_secalgo.c validator/val_sigcrypt.c \
 validator/val_utils.c dns64/dns64.c $(CHECKLOCK_SRC) $(DNSTAP_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
-msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
+as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
 iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo \
 outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
@@ -595,6 +595,7 @@ depend:
 	rm -f $(DEPEND_TMP) $(DEPEND_TMP2)
 
 # Dependencies
+as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h
 dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
  $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
@@ -702,7 +703,7 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h
 mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
@@ -821,7 +822,7 @@ val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/as112.h
 validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \

doc/example.conf.in

@@ -508,13 +508,17 @@ server:
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
 
-	# if unbound is running service for the local host then it is useful
+	# If unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
 	# for a network of computers, disabled is better and stops information
 	# leakage of local lan information.
 	# unblock-lan-zones: no
 
+	# The insecure-lan-zones option disables validation for
+	# these zones, as if they were all listed as domain-insecure.
+	# insecure-lan-zones: no
+
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
 	# 	local-data: "<resource record string>"

doc/unbound.conf.5.in

@@ -841,6 +841,11 @@ as a (DHCP-) DNS network resolver for a group of machines, where such
 lookups should be filtered (RFC compliance), this also stops potential
 data leakage about the local network to the upstream DNS servers.
 .TP
+.B insecure\-lan\-zones: \fI<yesno>
+Default is disabled.  If enabled, then reverse lookups in private
+address space are not validated.  This is usually required whenever
+\fIunblock\-lan\-zones\fR is used.
+.TP
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,

services/localzone.c

@@ -51,6 +51,7 @@
 #include "util/netevent.h"
 #include "util/data/msgreply.h"
 #include "util/data/msgparse.h"
+#include "util/as112.h"
 
 struct local_zones* 
 local_zones_create(void)
@@ -592,6 +593,7 @@ static int
 lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 {
 	struct local_zone* z;
+	const char** zstr;
 
 	/* this list of zones is from RFC 6303 */
 
@@ -654,110 +656,14 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 		lock_rw_unlock(&z->lock);
 	}
 
-	/* if unblock lan-zones, then do not add the zones below.
-	 * we do add the zones above, about 127.0.0.1, because localhost is
-	 * not on the lan. */
-	if(cfg->unblock_lan_zones)
-		return 1;
-
-	/* block LAN level zones */
-	if (	!add_as112_default(zones, cfg, "10.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "16.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "17.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "18.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "19.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "20.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "21.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "22.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "23.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "24.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "25.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "26.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "27.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "28.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "29.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "30.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "31.172.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "168.192.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "0.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "64.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "65.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "66.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "67.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "68.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "69.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "70.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "71.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "72.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "73.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "74.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "75.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "76.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "77.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "78.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "79.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "80.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "81.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "82.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "83.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "84.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "85.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "86.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "87.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "88.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "89.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "90.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "91.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "92.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "93.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "94.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "95.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "96.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "97.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "98.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "99.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "100.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "101.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "102.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "103.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "104.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "105.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "106.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "107.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "108.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "109.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "110.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "111.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "112.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "113.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "114.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "115.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "116.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "117.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "118.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "119.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "120.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "121.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "122.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "123.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "124.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "125.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "126.100.in-addr.arpa.") ||
-      		!add_as112_default(zones, cfg, "127.100.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "254.169.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "2.0.192.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "100.51.198.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "113.0.203.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "255.255.255.255.in-addr.arpa.") ||
-		!add_as112_default(zones, cfg, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.") ||
-		!add_as112_default(zones, cfg, "d.f.ip6.arpa.") ||
-		!add_as112_default(zones, cfg, "8.e.f.ip6.arpa.") ||
-		!add_as112_default(zones, cfg, "9.e.f.ip6.arpa.") ||
-		!add_as112_default(zones, cfg, "a.e.f.ip6.arpa.") ||
-		!add_as112_default(zones, cfg, "b.e.f.ip6.arpa.") ||
-		!add_as112_default(zones, cfg, "8.b.d.0.1.0.0.2.ip6.arpa.")) {
-		log_err("out of memory adding default zone");
-		return 0;
+	/* block AS112 zones, unless asked not to */
+	if(!cfg->unblock_lan_zones) {
+		for(zstr = as112_zones; *zstr; zstr++) {
+			if(!add_as112_default(zones, cfg, *zstr)) {
+				log_err("out of memory adding default zone");
+				return 0;
+			}
+		}
 	}
 	return 1;
 }

util/as112.c

+/*
+ * util/as112.c - list of local zones.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file provides a list of lan zones.
+ */
+
+#include "util/as112.h"
+
+static const char* as112_zone_array[] = {
+	"10.in-addr.arpa.",
+	"16.172.in-addr.arpa.",
+	"17.172.in-addr.arpa.",
+	"18.172.in-addr.arpa.",
+	"19.172.in-addr.arpa.",
+	"20.172.in-addr.arpa.",
+	"21.172.in-addr.arpa.",
+	"22.172.in-addr.arpa.",
+	"23.172.in-addr.arpa.",
+	"24.172.in-addr.arpa.",
+	"25.172.in-addr.arpa.",
+	"26.172.in-addr.arpa.",
+	"27.172.in-addr.arpa.",
+	"28.172.in-addr.arpa.",
+	"29.172.in-addr.arpa.",
+	"30.172.in-addr.arpa.",
+	"31.172.in-addr.arpa.",
+	"168.192.in-addr.arpa.",
+	"0.in-addr.arpa.",
+	"64.100.in-addr.arpa.",
+	"65.100.in-addr.arpa.",
+	"66.100.in-addr.arpa.",
+	"67.100.in-addr.arpa.",
+	"68.100.in-addr.arpa.",
+	"69.100.in-addr.arpa.",
+	"70.100.in-addr.arpa.",
+	"71.100.in-addr.arpa.",
+	"72.100.in-addr.arpa.",
+	"73.100.in-addr.arpa.",
+	"74.100.in-addr.arpa.",
+	"75.100.in-addr.arpa.",
+	"76.100.in-addr.arpa.",
+	"77.100.in-addr.arpa.",
+	"78.100.in-addr.arpa.",
+	"79.100.in-addr.arpa.",
+	"80.100.in-addr.arpa.",
+	"81.100.in-addr.arpa.",
+	"82.100.in-addr.arpa.",
+	"83.100.in-addr.arpa.",
+	"84.100.in-addr.arpa.",
+	"85.100.in-addr.arpa.",
+	"86.100.in-addr.arpa.",
+	"87.100.in-addr.arpa.",
+	"88.100.in-addr.arpa.",
+	"89.100.in-addr.arpa.",
+	"90.100.in-addr.arpa.",
+	"91.100.in-addr.arpa.",
+	"92.100.in-addr.arpa.",
+	"93.100.in-addr.arpa.",
+	"94.100.in-addr.arpa.",
+	"95.100.in-addr.arpa.",
+	"96.100.in-addr.arpa.",
+	"97.100.in-addr.arpa.",
+	"98.100.in-addr.arpa.",
+	"99.100.in-addr.arpa.",
+	"100.100.in-addr.arpa.",
+	"101.100.in-addr.arpa.",
+	"102.100.in-addr.arpa.",
+	"103.100.in-addr.arpa.",
+	"104.100.in-addr.arpa.",
+	"105.100.in-addr.arpa.",
+	"106.100.in-addr.arpa.",
+	"107.100.in-addr.arpa.",
+	"108.100.in-addr.arpa.",
+	"109.100.in-addr.arpa.",
+	"110.100.in-addr.arpa.",
+	"111.100.in-addr.arpa.",
+	"112.100.in-addr.arpa.",
+	"113.100.in-addr.arpa.",
+	"114.100.in-addr.arpa.",
+	"115.100.in-addr.arpa.",
+	"116.100.in-addr.arpa.",
+	"117.100.in-addr.arpa.",
+	"118.100.in-addr.arpa.",
+	"119.100.in-addr.arpa.",
+	"120.100.in-addr.arpa.",
+	"121.100.in-addr.arpa.",
+	"122.100.in-addr.arpa.",
+	"123.100.in-addr.arpa.",
+	"124.100.in-addr.arpa.",
+	"125.100.in-addr.arpa.",
+	"126.100.in-addr.arpa.",
+	"127.100.in-addr.arpa.",
+	"254.169.in-addr.arpa.",
+	"2.0.192.in-addr.arpa.",
+	"100.51.198.in-addr.arpa.",
+	"113.0.203.in-addr.arpa.",
+	"255.255.255.255.in-addr.arpa.",
+	"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
+	"d.f.ip6.arpa.",
+	"8.e.f.ip6.arpa.",
+	"9.e.f.ip6.arpa.",
+	"a.e.f.ip6.arpa.",
+	"b.e.f.ip6.arpa.",
+	"8.b.d.0.1.0.0.2.ip6.arpa.",
+	0
+};
+
+const char** as112_zones = as112_zone_array;

util/as112.h

+/*
+ * util/as112.c - list of local zones.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file provides a list of lan zones
+ */
+
+#ifndef UTIL_AS112_H
+#define UTIL_AS112_H
+
+/** 
+ * Array of text-format domain names of the AS112 zones.
+ * The array ends with NULL.  "AS112" is a service on the internet that
+ * that this array is named after.  The names in this list (or some of them)
+ * are null-routed by this service to avoid load on central servers caused by
+ * mistaken lookups for local content on the global internet.
+ *
+ * This is the list of names that unbound should not normally be sending
+ * on towards the internet, because they are local-use.
+ */
+extern const char** as112_zones;
+
+#endif

util/config_file.c

@@ -210,6 +210,7 @@ config_create(void)
 	cfg->local_zones_nodefault = NULL;
 	cfg->local_data = NULL;
 	cfg->unblock_lan_zones = 0;
+	cfg->insecure_lan_zones = 0;
 	cfg->python_script = NULL;
 	cfg->remote_control_enable = 0;
 	cfg->control_ifs = NULL;
@@ -458,6 +459,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("rrset-roundrobin:", rrset_roundrobin)
 	else S_STRLIST("local-data:", local_data)
 	else S_YNO("unblock-lan-zones:", unblock_lan_zones)
+	else S_YNO("insecure-lan-zones:", insecure_lan_zones)
 	else S_YNO("control-enable:", remote_control_enable)
 	else S_STRLIST("control-interface:", control_ifs)
 	else S_NUMBER_NONZERO("control-port:", control_port)
@@ -739,6 +741,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "minimal-responses", minimal_responses)
 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
 	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
+	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
 	else O_DEC(opt, "max-udp-size", max_udp_size)
 	else O_STR(opt, "python-script", python_script)
 	else O_DEC(opt, "ratelimit", ratelimit)

util/config_file.h

@@ -285,8 +285,10 @@ struct config_file {
 	struct config_strlist* local_zones_nodefault;
 	/** local data RRs configured */
 	struct config_strlist* local_data;
-	/** unblock lan zones (reverse lookups for 10/8 and so on) */
+	/** unblock lan zones (reverse lookups for AS112 zones) */
 	int unblock_lan_zones;
+	/** insecure lan zones (don't validate AS112 zones) */
+	int insecure_lan_zones;
 
 	/** remote control section. enable toggle. */
 	int remote_control_enable;

util/configlexer.lex

@@ -319,6 +319,7 @@ local-zone{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE) }
 local-data{COLON}		{ YDVAR(1, VAR_LOCAL_DATA) }
 local-data-ptr{COLON}		{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
 unblock-lan-zones{COLON}	{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
+insecure-lan-zones{COLON}	{ YDVAR(1, VAR_INSECURE_LAN_ZONES) }
 statistics-interval{COLON}	{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
 statistics-cumulative{COLON}	{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
 extended-statistics{COLON}	{ YDVAR(1, VAR_EXTENDED_STATISTICS) }

util/configparser.y

@@ -106,7 +106,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
 %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
-%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UNBLOCK_LAN_ZONES
+%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
+%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
 %token VAR_INFRA_CACHE_MIN_RTT
 %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL
 %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH
@@ -180,7 +181,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_log_queries | server_tcp_upstream | server_ssl_upstream |
 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
-	server_so_reuseport | server_delay_close | server_unblock_lan_zones |
+	server_so_reuseport | server_delay_close |
+	server_unblock_lan_zones | server_insecure_lan_zones |
 	server_dns64_prefix | server_dns64_synthall |
 	server_infra_cache_min_rtt | server_harden_algo_downgrade |
 	server_ip_transparent | server_ratelimit | server_ratelimit_slabs |
@@ -722,6 +724,16 @@ server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
 		free($2);
 	}
 	;
+server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG
+	{
+		OUTYY(("P(server_insecure_lan_zones:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->insecure_lan_zones = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_rrset_cache_size:%s)\n", $2));

validator/val_anchor.c

@@ -48,6 +48,7 @@
 #include "util/log.h"
 #include "util/net_help.h"
 #include "util/config_file.h"
+#include "util/as112.h"
 #include "sldns/sbuffer.h"
 #include "sldns/rrdef.h"
 #include "sldns/str2wire.h"
@@ -1044,8 +1045,18 @@ int
 anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
 {
 	struct config_strlist* f;
+	const char** zstr;
 	char* nm;
 	sldns_buffer* parsebuf = sldns_buffer_new(65535);
+	if(cfg->insecure_lan_zones) {
+		for(zstr = as112_zones; *zstr; zstr++) {
+			if(!anchor_insert_insecure(anchors, *zstr)) {
+				log_err("error in insecure-lan-zones: %s", *zstr);
+				sldns_buffer_free(parsebuf);
+				return 0;
+			}
+		}
+	}
 	for(f = cfg->domain_insecure; f; f = f->next) {
 		if(!f->str || f->str[0] == 0) /* empty "" */
 			continue;