resolved: register ipv4only.arpa are private domain

From RFC 8880: Because the 'ipv4only.arpa' zone has to be an insecure delegation, DNSSEC cannot be used to protect these answers from tampering by malicious devices on the path. Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation to give DNS64/NAT64 gateways the freedom to synthesize answers to those queries at will, without the answers being rejected by DNSSEC-capable resolvers. DNSSEC-capable resolvers that follow this specification MUST NOT attempt to validate answers received in response to queries for the IPv6 AAAA address records for 'ipv4only.arpa'. Note that the name 'ipv4only.arpa' has no use outside of being used for this special DNS pseudo-query used to learn the DNS64/NAT64 address synthesis prefix, so the lack of DNSSEC security for that name is not a problem. See: https://datatracker.ietf.org/doc/html/rfc8880#name-security-considerations
2024-09-16 06:43:18 +00:00 · 2023-09-27 19:39:52 +01:00 · 2023-09-27 19:39:52 +01:00 · 7406ebd5b6
parent 081c50ed3c
commit 7406ebd5b6
1 changed files with 9 additions and 1 deletions
--- a/src/resolve/resolved-dns-trust-anchor.c
+++ b/src/resolve/resolved-dns-trust-anchor.c
@ -163,7 +163,15 @@ static int dns_trust_anchor_add_builtin_negative(DnsTrustAnchor *d) {
                "private\0"

                /* Defined by RFC 8375. The most official choice. */
-                "home.arpa\0";
+                "home.arpa\0"
+
+                /* RFC 8880 says because the 'ipv4only.arpa' zone has to
+                 * be an insecure delegation, DNSSEC cannot be used to
+                 * protect these answers from tampering by malicious
+                 * devices on the path */
+                "ipv4only.arpa\0"
+                "170.0.0.192.in-addr.arpa\0"
+                "171.0.0.192.in-addr.arpa\0";

        int r;