Commit 9f7f25ea authored by Petr Špaček's avatar Petr Špaček Committed by Grigorii Demidov

policy: add REFUSE policy

Fixes: #337
parent 580a7ed4
...@@ -16,6 +16,10 @@ Security ...@@ -16,6 +16,10 @@ Security
(!550, !558, security!2, security!4) (!550, !558, security!2, security!4)
- increase resilience against slow lorris attack (security!5) - increase resilience against slow lorris attack (security!5)
New features
------------
- new policy.REFUSE to reply REFUSED to clients
Bugfixes Bugfixes
-------- --------
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538) - validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
......
...@@ -34,6 +34,7 @@ An *action* is function which modifies DNS query. There are several actions avai ...@@ -34,6 +34,7 @@ An *action* is function which modifies DNS query. There are several actions avai
* ``DENY`` - reply NXDOMAIN authoritatively * ``DENY`` - reply NXDOMAIN authoritatively
* ``DENY_MSG(msg)`` - reply NXDOMAIN authoritatively and add explanatory message to additional section * ``DENY_MSG(msg)`` - reply NXDOMAIN authoritatively and add explanatory message to additional section
* ``DROP`` - terminate query resolution and return SERVFAIL to the requestor * ``DROP`` - terminate query resolution and return SERVFAIL to the requestor
* ``REFUSE`` - terminate query resolution and return REFUSED to the requestor
* ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP * ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP
* ``FORWARD(ip)`` - resolve a query via forwarding to an IP while validating and caching locally; * ``FORWARD(ip)`` - resolve a query via forwarding to an IP while validating and caching locally;
* ``TLS_FORWARD({{ip, authentication}})`` - resolve a query via TLS connection forwarding to an IP while validating and caching locally; * ``TLS_FORWARD({{ip, authentication}})`` - resolve a query via TLS connection forwarding to an IP while validating and caching locally;
......
...@@ -491,6 +491,12 @@ function policy.DROP(_, _) ...@@ -491,6 +491,12 @@ function policy.DROP(_, _)
return kres.FAIL return kres.FAIL
end end
function policy.REFUSE(_, req)
local answer = req.answer
answer:rcode(kres.rcode.REFUSED)
return kres.DONE
end
function policy.TC(state, req) function policy.TC(state, req)
local answer = req.answer local answer = req.answer
if answer.max_size ~= 65535 then if answer.max_size ~= 65535 then
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment