Commit 9f7f25ea authored by Petr Špaček's avatar Petr Špaček Committed by Grigorii Demidov

policy: add REFUSE policy

Fixes: #337
parent 580a7ed4
......@@ -16,6 +16,10 @@ Security
(!550, !558, security!2, security!4)
- increase resilience against slow lorris attack (security!5)
New features
------------
- new policy.REFUSE to reply REFUSED to clients
Bugfixes
--------
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
......
......@@ -34,6 +34,7 @@ An *action* is function which modifies DNS query. There are several actions avai
* ``DENY`` - reply NXDOMAIN authoritatively
* ``DENY_MSG(msg)`` - reply NXDOMAIN authoritatively and add explanatory message to additional section
* ``DROP`` - terminate query resolution and return SERVFAIL to the requestor
* ``REFUSE`` - terminate query resolution and return REFUSED to the requestor
* ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP
* ``FORWARD(ip)`` - resolve a query via forwarding to an IP while validating and caching locally;
* ``TLS_FORWARD({{ip, authentication}})`` - resolve a query via TLS connection forwarding to an IP while validating and caching locally;
......
......@@ -491,6 +491,12 @@ function policy.DROP(_, _)
return kres.FAIL
end
function policy.REFUSE(_, req)
local answer = req.answer
answer:rcode(kres.rcode.REFUSED)
return kres.DONE
end
function policy.TC(state, req)
local answer = req.answer
if answer.max_size ~= 65535 then
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment