Commit 9661e47b authored by Vladimír Čunát's avatar Vladimír Čunát

Merge pointer-arith changes into cache-NSEC3

parents 1f848a12 fcb227b7
Security
--------
- fix a rare case of zones incorrectly dowgraded to insecure status
Bugfixes
--------
- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
Knot Resolver 2.3.0 (2018-04-23) Knot Resolver 2.3.0 (2018-04-23)
================================ ================================
......
...@@ -23,6 +23,7 @@ RUN apt-get install -y -qqq python3-pip wget augeas-tools ...@@ -23,6 +23,7 @@ RUN apt-get install -y -qqq python3-pip wget augeas-tools
RUN pip3 install --upgrade pip RUN pip3 install --upgrade pip
RUN pip3 install pylint RUN pip3 install pylint
RUN pip3 install pep8 RUN pip3 install pep8
RUN pip3 install pytest-xdist
# C dependencies for python-augeas # C dependencies for python-augeas
RUN apt-get install -y -qqq libaugeas-dev libffi-dev RUN apt-get install -y -qqq libaugeas-dev libffi-dev
......
...@@ -27,7 +27,8 @@ ...@@ -27,7 +27,8 @@
#include <stdint.h> #include <stdint.h>
#include <string.h> #include <string.h>
#if defined(__linux__) #if defined(__linux__) || defined(__gnu_hurd__) || \
(defined(__FreeBSD_kernel__) && defined(__GLIBC__))
# include <endian.h> # include <endian.h>
# ifndef be64toh # ifndef be64toh
# include <arpa/inet.h> # include <arpa/inet.h>
......
...@@ -997,9 +997,9 @@ specified worker count and process rank. ...@@ -997,9 +997,9 @@ specified worker count and process rank.
Return current worker ID (starting from `0` up to `worker.count - 1`) Return current worker ID (starting from `0` up to `worker.count - 1`)
.. envvar:: pid (number) .. envvar:: worker.pid
Current worker process PID. Current worker process PID (number).
.. function:: worker.stats() .. function:: worker.stats()
......
knot-resolver (2.0.0-1) unstable; urgency=medium
Knot Resolver systemd service units are now templated, so that multiple
processes can run concurrently on multi-core systems. For a full
overview of the status of all the running daemons, use:
systemctl status system-kresd.slice
For more information about this setup, please see kresd.systemd(7).
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 03 Feb 2018 22:51:02 -0500
knot-resolver (1.1.0~git2016072900-1) unstable; urgency=medium
Knot Resolver now starts and runs under unprivileged user and uses a
socket activations to bind on the privileged ports. That means that if
you use anything more complicated than that you need to either override
the default service file with `systemd edit kresd.service` and
`systemd edit kresd.socket` to add more IP addresses, or just disable
it with `systemd mask kresd*.socket kresd.service` and provide your
own custom system service file tailored to your needs.
-- Ondřej Surý <ondrej@debian.org> Thu, 04 Aug 2016 09:04:53 +0200
Tracking upstream sources in git Tracking upstream sources in git
-------------------------------- --------------------------------
This debian package is tracked in git at This debian package is tracked in the git "debian/master" branch at
https://anonscm.debian.org/git/pkg-dns/knot-resolver.git, which https://salsa.debian.org/dns-team/knot-resolver, which
includes the commits from the upstream git repository at includes the commits from the upstream git repository at
https://gitlab.labs.nic.cz/knot/knot-resolver.git. When importing https://gitlab.labs.nic.cz/knot/knot-resolver.git. When importing
upstream tarballs, make sure you've fetched from the upstream repo upstream tarballs, make sure you've fetched from the upstream repo
...@@ -11,7 +11,9 @@ upstream-vcs-tag from debian/gbp.conf to link upstream git history ...@@ -11,7 +11,9 @@ upstream-vcs-tag from debian/gbp.conf to link upstream git history
with new package history. with new package history.
See Joey Hess's thoughts about why tracking upstream git history is See Joey Hess's thoughts about why tracking upstream git history is
useful: https://joeyh.name/blog/entry/upstream_git_repositories/ useful: https://joeyh.name/blog/entry/upstream_git_repositories/, as
well as DEP-14 for the branch-naming scheme:
http://dep.debian.net/deps/dep14/
Rebuilding epoch.js and epoch.css Rebuilding epoch.js and epoch.css
--------------------------------- ---------------------------------
...@@ -65,4 +67,4 @@ sass -t compact sass/epoch.scss > dist/css/epoch.css ...@@ -65,4 +67,4 @@ sass -t compact sass/epoch.scss > dist/css/epoch.css
sass -t compressed sass/epoch.scss > dist/css/epoch.min.css sass -t compressed sass/epoch.scss > dist/css/epoch.min.css
EOF EOF
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Sun, 12 Nov 2017 12:52:39 +0800 -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Thu, 22 Feb 2018 13:25:27 -0800
doc/kresd.8 doc/kresd.8
libkres.pc libkres.pc
lib/libkres.a lib/libkres.a
lib/libkres.so.6 lib/libkres.so.7
...@@ -16,17 +16,13 @@ Build-Depends: ...@@ -16,17 +16,13 @@ Build-Depends:
libedit-dev, libedit-dev,
libgeoip-dev, libgeoip-dev,
libgnutls28-dev, libgnutls28-dev,
libhiredis-dev,
libjansson-dev,
libknot-dev (>= 2.6.4), libknot-dev (>= 2.6.4),
liblmdb-dev, liblmdb-dev,
libluajit-5.1-dev, libluajit-5.1-dev,
libmemcached-dev, libsystemd-dev (>= 227) [linux-any],
libsystemd-dev (>= 227),
libuv1-dev, libuv1-dev,
luajit, luajit,
pkg-config, pkg-config,
python3,
Homepage: https://www.knot-resolver.cz/ Homepage: https://www.knot-resolver.cz/
Rules-Requires-Root: no Rules-Requires-Root: no
......
...@@ -3,7 +3,7 @@ Upstream-Name: knot-resolver ...@@ -3,7 +3,7 @@ Upstream-Name: knot-resolver
Source: https://www.knot-resolver.cz/ Source: https://www.knot-resolver.cz/
Files: * Files: *
Copyright: 2015 CZ.NIC Copyright: 2015-2018 CZ.NIC
License: GPL-3.0+ License: GPL-3.0+
Files: contrib/ccan/asprintf/* Files: contrib/ccan/asprintf/*
...@@ -40,7 +40,7 @@ License: BSD-3-clause ...@@ -40,7 +40,7 @@ License: BSD-3-clause
Files: contrib/murmurhash3/* Files: contrib/murmurhash3/*
Copyright: Austin Appleby Copyright: Austin Appleby
License: public-domain License: CC0-1.0
Files: debian/missing-sources/dygraph-combined.js Files: debian/missing-sources/dygraph-combined.js
modules/http/static/dygraph-combined.js modules/http/static/dygraph-combined.js
...@@ -440,3 +440,14 @@ License: OpenLDAP ...@@ -440,3 +440,14 @@ License: OpenLDAP
holders. holders.
. .
OpenLDAP is a registered trademark of the OpenLDAP Foundation. OpenLDAP is a registered trademark of the OpenLDAP Foundation.
License: CC0-1.0
This work is licensed under the "Creative Commons Zero" license.
.
On debian systems, a copy of the Creative Commons Zero license may be
found at /usr/share/common-licenses/CC0-1.0.
License: public-domain
This work has been released into the public domain. The map
implementation builds off of prior public domain work from Dan
Bernstein (qhasm) and Adam Langley (critbit).
...@@ -19,4 +19,12 @@ if [ "$1" = "triggered" ]; then ...@@ -19,4 +19,12 @@ if [ "$1" = "triggered" ]; then
exit 0 exit 0
fi fi
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
if [ -d /run/systemd/system ]; then
systemctl try-restart 'kresd@*.service' || true
else
invoke-rc.d kresd try-restart || true
fi
fi
#DEBHELPER# #DEBHELPER#
...@@ -42,9 +42,8 @@ override_dh_auto_build-indep: ...@@ -42,9 +42,8 @@ override_dh_auto_build-indep:
cd doc && sphinx-build -b html -D html_theme=nature . html cd doc && sphinx-build -b html -D html_theme=nature . html
override_dh_auto_install-arch: override_dh_auto_install-arch:
dh_auto_install --destdir=debian/tmp -- V=1 dh_auto_install --destdir=debian/tmp -- V=1 KEYFILE_DEFAULT=/usr/share/dns/root.key
rm debian/tmp/etc/knot-resolver/icann-ca.pem rm -f debian/tmp/etc/knot-resolver/root.hints debian/tmp/etc/knot-resolver/icann-ca.pem
rm debian/tmp/etc/knot-resolver/root.hints
override_dh_auto_install-indep: override_dh_auto_install-indep:
# install just the http/2 module # install just the http/2 module
......
...@@ -14,18 +14,15 @@ to see how you can build it from sources (or package it), or use official `Docke ...@@ -14,18 +14,15 @@ to see how you can build it from sources (or package it), or use official `Docke
Platform considerations Platform considerations
----------------------- -----------------------
.. csv-table:: Knot-resolver is written for UNIX-like systems, mainly in C99.
:header: "Project", "Platforms", "Compatibility notes" Portable I/O is provided by libuv_.
Some 64-bit systems with LuaJIT 2.1 may be affected by
"``daemon``", "UNIX-like [#]_", "C99, libuv_ provides portable I/O" `a problem <https://github.com/LuaJIT/LuaJIT/blob/v2.1/doc/status.html#L100>`_
"``library``", "UNIX-like", "MSVC_ not supported, needs MinGW_" -- Linux on x86_64 is unaffected but `Linux on aarch64 is
"``modules``", "*varies*", "" <https://gitlab.labs.nic.cz/knot/knot-resolver/issues/216>`_.
"``tests/unit``", "*equivalent to library*", ""
"``tests/integration``", "UNIX-like", "Depends on library injection (see [2]_)"
.. [#] Known to be running (not exclusively) on FreeBSD, Linux and OS X. Windows systems might theoretically work without large changes,
but it's most likely broken and currently not planned to be supported.
.. Windows status??? Modules are not supported yet, as the PE/DLL loading is different. Library injection is working with ELF *(or Mach-O flat namespace)* only.
Requirements Requirements
------------ ------------
...@@ -36,12 +33,13 @@ The following is a list of software required to build Knot DNS Resolver from sou ...@@ -36,12 +33,13 @@ The following is a list of software required to build Knot DNS Resolver from sou
:header: "Requirement", "Required by", "Notes" :header: "Requirement", "Required by", "Notes"
"`GNU Make`_ 3.80+", "*all*", "*(build only)*" "`GNU Make`_ 3.80+", "*all*", "*(build only)*"
"C compiler", "*all*", "*(build only)* [#]_" "C and C++ compiler", "*all*", "*(build only)* [#]_"
"`pkg-config`_", "*all*", "*(build only)* [#]_" "`pkg-config`_", "*all*", "*(build only)* [#]_"
"hexdump or xxd", "``daemon``", "*(build only)*" "hexdump or xxd", "``daemon``", "*(build only)*"
"libknot_ 2.4.0+", "*all*", "Knot DNS library (requires autotools, GnuTLS and Jansson)." "libknot_ 2.6.4+", "*all*", "Knot DNS libraries - requires autotools, GnuTLS, ..."
"LuaJIT_ 2.0+", "``daemon``", "Embedded scripting language." "LuaJIT_ 2.0+", "``daemon``", "Embedded scripting language."
"libuv_ 1.7+", "``daemon``", "Multiplatform I/O and services (libuv_ 1.0 with limitations [#]_)." "libuv_ 1.7+", "``daemon``", "Multiplatform I/O and services (libuv_ 1.0 with limitations [#]_)."
"lmdb", "``daemon``", "If missing, a static version is embedded."
There are also *optional* packages that enable specific functionality in Knot DNS Resolver, they are useful mainly for developers to build documentation and tests. There are also *optional* packages that enable specific functionality in Knot DNS Resolver, they are useful mainly for developers to build documentation and tests.
...@@ -51,9 +49,6 @@ There are also *optional* packages that enable specific functionality in Knot DN ...@@ -51,9 +49,6 @@ There are also *optional* packages that enable specific functionality in Knot DN
"`lua-http`_", "``modules/http``", "HTTP/2 client/server for Lua." "`lua-http`_", "``modules/http``", "HTTP/2 client/server for Lua."
"luasocket_", "``trust anchors, modules/stats``", "Sockets for Lua." "luasocket_", "``trust anchors, modules/stats``", "Sockets for Lua."
"luasec_", "``trust anchors``", "TLS for Lua." "luasec_", "``trust anchors``", "TLS for Lua."
"libmemcached_", "``modules/memcached``", "To build memcached backend module."
"hiredis_", "``modules/redis``", "To build redis backend module."
"Go_ 1.5+", "``modules``", "Build modules written in Go."
"cmocka_", "``unit tests``", "Unit testing framework." "cmocka_", "``unit tests``", "Unit testing framework."
"Doxygen_", "``documentation``", "Generating API documentation." "Doxygen_", "``documentation``", "Generating API documentation."
"Sphinx_ and sphinx_rtd_theme_", "``documentation``", "Building this HTML/PDF documentation." "Sphinx_ and sphinx_rtd_theme_", "``documentation``", "Building this HTML/PDF documentation."
...@@ -66,6 +61,10 @@ There are also *optional* packages that enable specific functionality in Knot DN ...@@ -66,6 +61,10 @@ There are also *optional* packages that enable specific functionality in Knot DN
"`clang-tidy`_", "``lint-c``", "Syntax and static analysis checker for C." "`clang-tidy`_", "``lint-c``", "Syntax and static analysis checker for C."
"luacov_", "``check-config``", "Code coverage analysis for Lua modules." "luacov_", "``check-config``", "Code coverage analysis for Lua modules."
.. "libmemcached_", "``modules/memcached``", "To build memcached backend module."
"hiredis_", "``modules/redis``", "To build redis backend module."
"Go_ 1.5+", "``modules``", "Build modules written in Go."
.. [#] Requires C99, ``__attribute__((cleanup))`` and ``-MMD -MP`` for dependency file generation. GCC, Clang and ICC are supported. .. [#] Requires C99, ``__attribute__((cleanup))`` and ``-MMD -MP`` for dependency file generation. GCC, Clang and ICC are supported.
.. [#] You can use variables ``<dependency>_CFLAGS`` and ``<dependency>_LIBS`` to configure dependencies manually (i.e. ``libknot_CFLAGS`` and ``libknot_LIBS``). .. [#] You can use variables ``<dependency>_CFLAGS`` and ``<dependency>_LIBS`` to configure dependencies manually (i.e. ``libknot_CFLAGS`` and ``libknot_LIBS``).
.. [#] libuv 1.7 brings SO_REUSEPORT support that is needed for multiple forks. libuv < 1.7 can be still used, but only in single-process mode. Use :ref:`different method <daemon-reuseport>` for load balancing. .. [#] libuv 1.7 brings SO_REUSEPORT support that is needed for multiple forks. libuv < 1.7 can be still used, but only in single-process mode. Use :ref:`different method <daemon-reuseport>` for load balancing.
......
...@@ -2,9 +2,9 @@ ...@@ -2,9 +2,9 @@
Knot DNS Resolver Knot DNS Resolver
################# #################
The Knot DNS Resolver is a minimalistic caching resolver implementation. Knot Resolver is a minimalistic implementation of a caching validating DNS resolver.
The project provides both a resolver library and a small daemon. Modular architecture keeps the core tiny and efficient,
Modular architecture of the library keeps the core tiny and efficient, and provides a state-machine like API for extensions. and it provides a state-machine like API for extensions.
.. toctree:: .. toctree::
:maxdepth: 2 :maxdepth: 2
......
...@@ -132,7 +132,7 @@ that all enabled daemons are started and running, do: ...@@ -132,7 +132,7 @@ that all enabled daemons are started and running, do:
.nf .nf
.RS 4n .RS 4n
.B systemctl start 'kresd@*.service' .B systemctl start --all 'kresd@*.service'
.RE .RE
.fi .fi
......
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
#include "lib/cache/impl.h" #include "lib/cache/impl.h"
int rdataset_dematerialize(const knot_rdataset_t *rds, void * restrict data) int rdataset_dematerialize(const knot_rdataset_t *rds, uint8_t * restrict data)
{ {
//const void *data0 = data; //const void *data0 = data;
assert(data); assert(data);
...@@ -47,12 +47,12 @@ int rdataset_dematerialize(const knot_rdataset_t *rds, void * restrict data) ...@@ -47,12 +47,12 @@ int rdataset_dematerialize(const knot_rdataset_t *rds, void * restrict data)
/** Materialize a knot_rdataset_t from cache with given TTL. /** Materialize a knot_rdataset_t from cache with given TTL.
* Return the number of bytes consumed or an error code. * Return the number of bytes consumed or an error code.
*/ */
static int rdataset_materialize(knot_rdataset_t * restrict rds, const void * const data, static int rdataset_materialize(knot_rdataset_t * restrict rds, const uint8_t * const data,
const void *data_bound, uint32_t ttl, knot_mm_t *pool) const uint8_t *data_bound, uint32_t ttl, knot_mm_t *pool)
{ {
assert(rds && data && data_bound && data_bound > data && !rds->data); assert(rds && data && data_bound && data_bound > data && !rds->data);
assert(pool); /* not required, but that's our current usage; guard leaks */ assert(pool); /* not required, but that's our current usage; guard leaks */
const void *d = data; /* iterates over the cache data */ const uint8_t *d = data; /* iterates over the cache data */
{ {
uint16_t rr_count; uint16_t rr_count;
memcpy(&rr_count, d, sizeof(rr_count)); memcpy(&rr_count, d, sizeof(rr_count));
......
...@@ -238,7 +238,7 @@ static inline int rdataset_dematerialize_size(const knot_rdataset_t *rds) ...@@ -238,7 +238,7 @@ static inline int rdataset_dematerialize_size(const knot_rdataset_t *rds)
} }
/** Dematerialize a rdataset. */ /** Dematerialize a rdataset. */
int rdataset_dematerialize(const knot_rdataset_t *rds, void * restrict data); int rdataset_dematerialize(const knot_rdataset_t *rds, uint8_t * restrict data);
/** NSEC* parameters; almost nothing is meaningful for NSEC. */ /** NSEC* parameters; almost nothing is meaningful for NSEC. */
struct nsec_p { struct nsec_p {
......
...@@ -650,17 +650,28 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req) ...@@ -650,17 +650,28 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req)
{ {
struct kr_query *query = req->current_query; struct kr_query *query = req->current_query;
/* Response for minimized QNAME. /* Response for minimized QNAME. Note that current iterator's minimization
* is only able ask one label below a zone cut.
* NODATA => may be empty non-terminal, retry (found zone cut) * NODATA => may be empty non-terminal, retry (found zone cut)
* NOERROR => found zone cut, retry * NOERROR => found zone cut, retry, except the case described below
* NXDOMAIN => parent is zone cut, retry as a workaround for bad authoritatives * NXDOMAIN => parent is zone cut, retry as a workaround for bad authoritatives
*/ */
bool is_final = (query->parent == NULL); const bool is_final = (query->parent == NULL);
int pkt_class = kr_response_classify(pkt); const int pkt_class = kr_response_classify(pkt);
if (!knot_dname_is_equal(knot_pkt_qname(pkt), query->sname) && const knot_dname_t * pkt_qname = knot_pkt_qname(pkt);
if (!knot_dname_is_equal(pkt_qname, query->sname) &&
(pkt_class & (PKT_NOERROR|PKT_NXDOMAIN|PKT_REFUSED|PKT_NODATA))) { (pkt_class & (PKT_NOERROR|PKT_NXDOMAIN|PKT_REFUSED|PKT_NODATA))) {
VERBOSE_MSG("<= found cut, retrying with non-minimized name\n"); /* Check for parent server that is authoritative for child zone,
query->flags.NO_MINIMIZE = true; * several CCTLDs where the SLD and TLD have the same name servers */
const knot_pktsection_t *ans = knot_pkt_section(pkt, KNOT_ANSWER);
if ((pkt_class & (PKT_NOERROR)) && ans->count > 0 &&
knot_dname_is_equal(pkt_qname, query->zone_cut.name)) {
VERBOSE_MSG("<= continuing with qname minimization\n")
} else {
/* fall back to disabling minimization */
VERBOSE_MSG("<= retrying with non-minimized name\n");
query->flags.NO_MINIMIZE = true;
}
return KR_STATE_CONSUME; return KR_STATE_CONSUME;
} }
......
...@@ -420,13 +420,17 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_ ...@@ -420,13 +420,17 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
/* Rank the corresponding nonauth NS as insecure. */ /* Rank the corresponding nonauth NS as insecure. */
for (int i = 0; i < req->auth_selected.len; ++i) { for (int i = 0; i < req->auth_selected.len; ++i) {
ranked_rr_array_entry_t *ns = req->auth_selected.at[i]; ranked_rr_array_entry_t *ns = req->auth_selected.at[i];
if (ns->qry_uid != qry->uid || !ns->rr if (ns->qry_uid != qry->uid
|| !ns->rr
|| ns->rr->type != KNOT_RRTYPE_NS) { || ns->rr->type != KNOT_RRTYPE_NS) {
continue; continue;
} }
if (!referral && !knot_dname_is_equal(qry->sname, ns->rr->owner)) {
continue;
}
/* Found the record. Note: this is slightly fragile /* Found the record. Note: this is slightly fragile
* in case there were more NS records in the packet. * in case there were more NS records in the packet.
* As it is now, kr_nsec*_ref_to_unsigned consider * As it is now for referrals, kr_nsec*_ref_to_unsigned consider
* (only) the first NS record in the packet. */ * (only) the first NS record in the packet. */
if (!kr_rank_test(ns->rank, KR_RANK_AUTH)) { /* sanity */ if (!kr_rank_test(ns->rank, KR_RANK_AUTH)) { /* sanity */
ns->rank = KR_RANK_INSECURE; ns->rank = KR_RANK_INSECURE;
......
...@@ -222,10 +222,12 @@ static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name ...@@ -222,10 +222,12 @@ static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name
* even if cut name is covered by TA. */ * even if cut name is covered by TA. */
qry->flags.DNSSEC_WANT = false; qry->flags.DNSSEC_WANT = false;
qry->flags.DNSSEC_INSECURE = true; qry->flags.DNSSEC_INSECURE = true;
VERBOSE_MSG(qry, "=> going insecure because parent query is insecure\n");
} else if (kr_ta_covers_qry(req->ctx, qry->zone_cut.name, KNOT_RRTYPE_NS)) { } else if (kr_ta_covers_qry(req->ctx, qry->zone_cut.name, KNOT_RRTYPE_NS)) {
qry->flags.DNSSEC_WANT = true; qry->flags.DNSSEC_WANT = true;
} else { } else {
qry->flags.DNSSEC_WANT = false; qry->flags.DNSSEC_WANT = false;
VERBOSE_MSG(qry, "=> going insecure because there's no covering TA\n");
} }
struct kr_zonecut cut_found; struct kr_zonecut cut_found;
......
...@@ -442,8 +442,8 @@ int kr_zonecut_find_cached(struct kr_context *ctx, struct kr_zonecut *cut, ...@@ -442,8 +442,8 @@ int kr_zonecut_find_cached(struct kr_context *ctx, struct kr_zonecut *cut,
WITH_VERBOSE(qry) { WITH_VERBOSE(qry) {
auto_free char *label_str = kr_dname_text(label); auto_free char *label_str = kr_dname_text(label);
VERBOSE_MSG(qry, VERBOSE_MSG(qry,
"found cut: %s (return codes: DS %d, DNSKEY %d)\n", "found cut: %s (rank 0%.2o return codes: DS %d, DNSKEY %d)\n",
label_str, ret_ds, ret_dnskey); label_str, rank, ret_ds, ret_dnskey);
} }
return kr_ok(); return kr_ok();
} }
......
...@@ -22,7 +22,7 @@ A *filter* selects which queries will be affected by specified *action*. There a ...@@ -22,7 +22,7 @@ A *filter* selects which queries will be affected by specified *action*. There a
- applies the action if QNAME suffix matches one of suffixes in the table (useful for "is domain in zone" rules), - applies the action if QNAME suffix matches one of suffixes in the table (useful for "is domain in zone" rules),
uses `Aho-Corasick`_ string matching algorithm `from CloudFlare <https://github.com/cloudflare/lua-aho-corasick>`_ (BSD 3-clause) uses `Aho-Corasick`_ string matching algorithm `from CloudFlare <https://github.com/cloudflare/lua-aho-corasick>`_ (BSD 3-clause)
* :any:`policy.suffix_common` * :any:`policy.suffix_common`
* ``rpz`` * ``rpz(default_action, path)``
- implements a subset of RPZ_ in zonefile format. See below for details: :any:`policy.rpz`. - implements a subset of RPZ_ in zonefile format. See below for details: :any:`policy.rpz`.
* custom filter function * custom filter function
...@@ -182,9 +182,9 @@ Most properties (actions, filters) are described above. ...@@ -182,9 +182,9 @@ Most properties (actions, filters) are described above.
Like suffix match, but you can also provide a common suffix of all matches for faster processing (nil otherwise). Like suffix match, but you can also provide a common suffix of all matches for faster processing (nil otherwise).
This function is faster for small suffix tables (in the order of "hundreds"). This function is faster for small suffix tables (in the order of "hundreds").
.. function:: policy.rpz(action, path[, format]) .. function:: policy.rpz(action, path)
:param action: the default action for match in the zone (e.g. RH-value `.`) :param action: the default action for match in the zone; typically you want ``policy.DENY``
:param path: path to zone file | database :param path: path to zone file | database
Enforce RPZ_ rules. This can be used in conjunction with published blocklist feeds. Enforce RPZ_ rules. This can be used in conjunction with published blocklist feeds.
...@@ -194,13 +194,16 @@ Most properties (actions, filters) are described above. ...@@ -194,13 +194,16 @@ Most properties (actions, filters) are described above.
.. csv-table:: .. csv-table::
:header: "Policy Action", "RH Value", "Support" :header: "Policy Action", "RH Value", "Support"
"NXDOMAIN", "``.``", "**yes**" "``action`` is used", "``.``", "**yes**, if ``action`` is ``DENY``"
"NODATA", "``*.``", "*partial*, implemented as NXDOMAIN" "``action`` is used ", "``*.``", "*partial* [#]_"
"Unchanged", "``rpz-passthru.``", "**yes**" "``policy.PASS``", "``rpz-passthru.``", "**yes**"
"Nothing", "``rpz-drop.``", "**yes**" "``policy.DROP``", "``rpz-drop.``", "**yes**"
"Truncated", "``rpz-tcp-only.``", "**yes**" "``policy.TC``", "``rpz-tcp-only.``", "**yes**"
"Modified", "anything", "no" "Modified", "anything", "no"
.. [#] The specification for ``*.`` wants a ``NODATA`` answer.
For now, ``policy.DENY`` action doing ``NXDOMAIN`` is typically used instead.
.. csv-table:: .. csv-table::
:header: "Policy Trigger", "Support" :header: "Policy Trigger", "Support"
......
...@@ -9,7 +9,7 @@ filters and ACLs, sort of like ISC BIND views. ...@@ -9,7 +9,7 @@ filters and ACLs, sort of like ISC BIND views.
There are two identification mechanisms: There are two identification mechanisms:
* ``subnet`` * ``addr``
- identifies the client based on his subnet - identifies the client based on his subnet
* ``tsig`` * ``tsig``
- identifies the client based on a TSIG key - identifies the client based on a TSIG key
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment