From 1577dc53f144d8a7c4438ca98a574102bea14c6b Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Mon, 4 Jul 2022 18:16:06 +0000
Subject: dns: T4509: Add dns64-prefix option

rfc6147: DNS Extensions for Network Address Translation
         from IPv6 Clients to IPv4 Servers

set service dns forwarding dns64-prefix 2001:db8:aabb::/96

(cherry picked from commit 2bdf4798570222b57af2de2f0b443529abdc3feb)
---
 data/templates/dns-forwarding/recursor.conf.tmpl     |  5 +++++
 interface-definitions/dns-forwarding.xml.in          | 12 ++++++++++++
 smoketest/scripts/cli/test_service_dns_forwarding.py | 11 +++++++++++
 src/conf_mode/dns_forwarding.py                      |  6 ++++++
 4 files changed, 34 insertions(+)

diff --git a/data/templates/dns-forwarding/recursor.conf.tmpl b/data/templates/dns-forwarding/recursor.conf.tmpl
index be0778993..294b228d2 100644
--- a/data/templates/dns-forwarding/recursor.conf.tmpl
+++ b/data/templates/dns-forwarding/recursor.conf.tmpl
@@ -28,6 +28,11 @@ local-address={{ listen_address | join(',') }}
 # dnssec
 dnssec={{ dnssec }}
 
+{% if dns64_prefix is defined %}
+# dns64-prefix
+dns64-prefix={{ dns64_prefix }}
+{% endif %}
+
 {# dns: T3277: #}
 {% if no_serve_rfc1918 is defined %}
 # serve-rfc1918
diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in
index 5b0c87597..5a824973a 100644
--- a/interface-definitions/dns-forwarding.xml.in
+++ b/interface-definitions/dns-forwarding.xml.in
@@ -36,6 +36,18 @@
                   <multi/>
                 </properties>
               </leafNode>
+              <leafNode name="dns64-prefix">
+                <properties>
+                  <help>Help to communicate between IPv6-only client and IPv4-only server</help>
+                  <valueHelp>
+                    <format>ipv6net</format>
+                    <description>IPv6 address and /96 only prefix length</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ipv6-prefix"/>
+                  </constraint>
+                </properties>
+              </leafNode>
               <leafNode name="dnssec">
                 <properties>
                   <help>DNSSEC mode (default: process-no-validate)</help>
diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index 44e27828d..c7e21320b 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -48,6 +48,7 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
         # Check basic DNS forwarding settings
         cache_size = '20'
         negative_ttl = '120'
+        dns_prefix = '64:ff9b::/96'
 
         self.cli_set(base_path + ['cache-size', cache_size])
         self.cli_set(base_path + ['negative-ttl', negative_ttl])
@@ -64,6 +65,12 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
+        # Check dns64-prefix - must be prefix /96
+        self.cli_set(base_path + ['dns64-prefix', '2001:db8:aabb::/64'])
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_set(base_path + ['dns64-prefix', dns_prefix])
+
         # configure DNSSEC
         self.cli_set(base_path + ['dnssec', 'validate'])
 
@@ -93,6 +100,10 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
         tmp = get_config_value('export-etc-hosts')
         self.assertEqual(tmp, 'no')
 
+        # dns64-prefix
+        tmp = get_config_value('dns64-prefix')
+        self.assertEqual(tmp, dns_prefix)
+
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py
index bc3821f61..997f839b2 100755
--- a/src/conf_mode/dns_forwarding.py
+++ b/src/conf_mode/dns_forwarding.py
@@ -83,6 +83,12 @@ def verify(dns):
             if 'server' not in dns['domain'][domain]:
                 raise ConfigError(f'No server configured for domain {domain}!')
 
+    if 'dns64_prefix' in dns:
+        dns_prefix = dns['dns64_prefix'].split('/')[1]
+        # RFC 6147 requires prefix /96
+        if int(dns_prefix) != 96:
+            raise ConfigError('DNS forwarding "dns64-prefix" must be /96')
+
     if 'system' in dns:
         if not 'system_name_server' in dns:
             print('Warning: No "system name-server" configured')
-- 
cgit v1.2.3