Merge pull request #1400 from c-po/t4509-pdns-6to4-equuleus

dns: T4509: Add dns64-prefix option (equuleus)

4 files changed, 55 insertions, 13 deletions

diff --git a/data/templates/dns-forwarding/recursor.conf.tmpl b/data/templates/dns-forwarding/recursor.conf.tmpl
index be0778993..294b228d2 100644
--- a/data/templates/dns-forwarding/recursor.conf.tmpl
+++ b/data/templates/dns-forwarding/recursor.conf.tmpl
@@ -28,6 +28,11 @@ local-address={{ listen_address | join(',') }}
 # dnssec
 dnssec={{ dnssec }}
 
+{% if dns64_prefix is defined %}
+# dns64-prefix
+dns64-prefix={{ dns64_prefix }}
+{% endif %}
+
 {# dns: T3277: #}
 {% if no_serve_rfc1918 is defined %}
 # serve-rfc1918
diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in
index 5b0c87597..5a824973a 100644
--- a/interface-definitions/dns-forwarding.xml.in
+++ b/interface-definitions/dns-forwarding.xml.in
@@ -36,6 +36,18 @@
                   <multi/>
                 </properties>
               </leafNode>
+              <leafNode name="dns64-prefix">
+                <properties>
+                  <help>Help to communicate between IPv6-only client and IPv4-only server</help>
+                  <valueHelp>
+                    <format>ipv6net</format>
+                    <description>IPv6 address and /96 only prefix length</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ipv6-prefix"/>
+                  </constraint>
+                </properties>
+              </leafNode>
               <leafNode name="dnssec">
                 <properties>
                   <help>DNSSEC mode (default: process-no-validate)</help>
diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index 44e27828d..ccbdd16ba 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -39,7 +39,18 @@ def get_config_value(key, file=CONFIG_FILE):
     return tmp[0]
 
 class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestServicePowerDNS, cls).setUpClass()
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
     def tearDown(self):
+        # Check for running process
+        self.assertTrue(process_named_running(PROCESS_NAME))
+
         # Delete DNS forwarding configuration
         self.cli_delete(base_path)
         self.cli_commit()
@@ -93,9 +104,6 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
         tmp = get_config_value('export-etc-hosts')
         self.assertEqual(tmp, 'no')
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
-
     def test_dnssec(self):
         # DNSSEC option testing
 
@@ -114,9 +122,6 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
             tmp = get_config_value('dnssec')
             self.assertEqual(tmp, option)
 
-            # Check for running process
-            self.assertTrue(process_named_running(PROCESS_NAME))
-
     def test_external_nameserver(self):
         # Externe Domain Name Servers (DNS) addresses
 
@@ -140,9 +145,6 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
         tmp = get_config_value('export-etc-hosts')
         self.assertEqual(tmp, 'yes')
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
-
     def test_domain_forwarding(self):
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
@@ -179,9 +181,26 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
             if domain == domains[1]:
                 self.assertIn(f'addNTA("{domain}", "static")', hosts_conf)
 
-        # Check for running process
-        self.assertTrue(process_named_running(PROCESS_NAME))
+    def test_dns64(self):
+        dns_prefix = '64:ff9b::/96'
+
+        for network in allow_from:
+            self.cli_set(base_path + ['allow-from', network])
+        for address in listen_adress:
+            self.cli_set(base_path + ['listen-address', address])
+
+        # Check dns64-prefix - must be prefix /96
+        self.cli_set(base_path + ['dns64-prefix', '2001:db8:aabb::/64'])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(base_path + ['dns64-prefix', dns_prefix])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify dns64-prefix configuration
+        tmp = get_config_value('dns64-prefix')
+        self.assertEqual(tmp, dns_prefix)
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
-
diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py
index bc3821f61..3f3a2e232 100755
--- a/src/conf_mode/dns_forwarding.py
+++ b/src/conf_mode/dns_forwarding.py
@@ -83,6 +83,12 @@ def verify(dns):
             if 'server' not in dns['domain'][domain]:
                 raise ConfigError(f'No server configured for domain {domain}!')
 
+    if 'dns64_prefix' in dns:
+        dns_prefix = dns['dns64_prefix'].split('/')[1]
+        # RFC 6147 requires prefix /96
+        if int(dns_prefix) != 96:
+            raise ConfigError('DNS 6to4 prefix must be of length /96')
+
     if 'system' in dns:
         if not 'system_name_server' in dns:
             print('Warning: No "system name-server" configured')