Commit bba85538 authored by Grigorii Demidov's avatar Grigorii Demidov

Merge branch 'policy_REFUSE' into 'master'

Policy REFUSE; minot tweak

Closes #337

See merge request !549
parents 580a7ed4 9583595b
Pipeline #36834 passed with stages
in 8 minutes and 47 seconds
......@@ -16,6 +16,10 @@ Security
(!550, !558, security!2, security!4)
- increase resilience against slow lorris attack (security!5)
New features
------------
- new policy.REFUSE to reply REFUSED to clients
Bugfixes
--------
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
......
......@@ -73,7 +73,6 @@ static int lmdb_error(int error)
return kr_error(ENOSPC);
default:
kr_log_error("[cache] LMDB error: %s\n", mdb_strerror(error));
assert(false);
return kr_error(error);
}
}
......
......@@ -34,6 +34,7 @@ An *action* is function which modifies DNS query. There are several actions avai
* ``DENY`` - reply NXDOMAIN authoritatively
* ``DENY_MSG(msg)`` - reply NXDOMAIN authoritatively and add explanatory message to additional section
* ``DROP`` - terminate query resolution and return SERVFAIL to the requestor
* ``REFUSE`` - terminate query resolution and return REFUSED to the requestor
* ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP
* ``FORWARD(ip)`` - resolve a query via forwarding to an IP while validating and caching locally;
* ``TLS_FORWARD({{ip, authentication}})`` - resolve a query via TLS connection forwarding to an IP while validating and caching locally;
......
......@@ -491,6 +491,12 @@ function policy.DROP(_, _)
return kres.FAIL
end
function policy.REFUSE(_, req)
local answer = req.answer
answer:rcode(kres.rcode.REFUSED)
return kres.DONE
end
function policy.TC(state, req)
local answer = req.answer
if answer.max_size ~= 65535 then
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment