modules/policy: DENY home.arpa. special-use domain

Well, it's just an approximation... if the user specifies a forwarding
policy, any special names will also get forwarded, even though the RFC
says not to.  And this code will also reply NXDOMAIN to home.arpa. DS.

For local. we kept the default behavior, after some research,
as there seems almost no benefit and there's risk of having
a validating resolver downstream that doesn't treat local.  Refs.:
- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4
- local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1
parent 5762ca22
Pipeline #50767 failed with stages
in 46 minutes and 30 seconds
......@@ -10,6 +10,7 @@ Bugfixes
--------
- tls_client: fix issue with TLS session resumption (#489)
- policy: special domain home.arpa. gets NXDOMAIN (!855)
Module API changes
------------------
......
......@@ -681,6 +681,8 @@ local private_zones = {
'a.e.f.ip6.arpa.',
'b.e.f.ip6.arpa.',
'8.b.d.0.1.0.0.2.ip6.arpa.',
-- RFC8375
'home.arpa.',
}
policy.todnames(private_zones)
......@@ -705,6 +707,11 @@ policy.special_names = {
todname('test.'),
todname('onion.'),
todname('invalid.'),
--[[ RFC6762 22.1.4 mandates to return NXDOMAIN without asking upstream.
By default we use QNAME minimization and aggressive caching,
in which case we can't see why follow this RFC advice ("SHOULD").
todname('local.'), --]]
}),
count=0
},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment