check that bits 64..71 in a dns64 prefix are zero

(cherry picked from commit a7ec7eb6ed)

bin/tests/system/dns64/clean.sh

@@ -9,12 +9,13 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f ns*/named.conf
-rm -f ns1/K*
-rm -f ns1/signed.db*
-rm -f ns1/dsset-signed.
 rm -f */named.memstats
 rm -f */named.run
+rm -f checkconf.out*
 rm -f dig.out.*
-rm -f ns*/named.lock
 rm -f ns*/managed-keys.bind*
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns1/K*
+rm -f ns1/dsset-signed.
+rm -f ns1/signed.db*

bin/tests/system/dns64/conf/bad18.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 ::/32 { suffix ::8000:0000:0000:0000; }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/bad19.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 ::/32 { suffix ::0100:0000:0000:0000; }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/warn1.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0100:000f::/96 { };  /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/warn2.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0200:000f::/96 { }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/warn3.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0400:000f::/96 { }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/warn4.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0800:000f::/96 { }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/warn5.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:1000:000f::/96 { }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/warn6.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:2000:000f::/96 { }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/warn7.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:4000:000f::/96 { }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/conf/warn8.conf

@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:8000:000f::/96 { }; /* bits [64..71] MBZ */
+};

bin/tests/system/dns64/tests.sh

@@ -39,6 +39,19 @@ do
         status=`expr $status + $ret`
 done
 
+for conf in conf/warn*.conf
+do
+        echo_i "checking that $conf produces a warning ($n)"
+        ret=0
+        $CHECKCONF "$conf" > checkconf.out$n || ret=1
+	l=`wc -l < checkconf.out$n`
+	grep "warning" checkconf.out$n > /dev/null || ret=1
+	test $l -ne 0 || ret=1
+	n=`expr $n + 1`
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=`expr $status + $ret`
+done
+
 # Check the example. domain
 
 echo_i "checking non-excluded AAAA lookup works ($n)"

doc/arm/Bv9ARM-book.xml

@@ -5145,7 +5145,9 @@ options {
 	      </para>
 	      <para>
 		Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
-		64 and 96 as per RFC 6052.
+		64 and 96 as per RFC 6052.  Bits 64..71 inclusive must
+		be zero with the most significate bit of the prefix in
+		position 0.
 	      </para>
 	      <para>
 		Additionally a reverse IP6.ARPA zone will be created for

lib/bind9/check.c

@@ -530,6 +530,12 @@ check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 			continue;
 		}
 
+		if (na.type.in6.s6_addr[8] != 0) {
+			cfg_obj_log(map, logctx, ISC_LOG_WARNING,
+				    "warning: invalid prefix, bits [64..71] "
+				    "must be zero");
+		}
+
 		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
 		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96) {
 			cfg_obj_log(map, logctx, ISC_LOG_ERROR,