Skip to content
Snippets Groups Projects
Verified Commit 6008a01c authored by Lukas Jezek's avatar Lukas Jezek Committed by Petr Špaček
Browse files

modules/policy: Return NODATA on *. action in rpz file

parent 98642609
Branches
Tags
1 merge request!964support arbitrary data in RPZ
Hide whitespace changes
Inline Side-by-side
modules/policy/README.rst
+ 1
5
View file @ 6008a01c
......@@ -546,17 +546,13 @@ Response policy zones
:header: "RPZ Right Hand Side", "Knot Resolver Action", "BIND Compatibility"
"``.``", "``action`` is used", "compatible if ``action`` is :func:`policy.DENY`"
"``*.``", "``action`` is used", "good enough [#]_ if ``action`` is :func:`policy.DENY`"
"``*.``", ":func:`policy.ANSWER`", "yes"
"``rpz-passthru.``", ":func:`policy.PASS`", "yes"
"``rpz-tcp-only.``", ":func:`policy.TC`", "yes"
"``rpz-drop.``", ":func:`policy.DROP`", "no [#]_"
"fake A/AAAA", ":func:`policy.ANSWER`", "yes"
"fake CNAME", "not supported", "no"
.. [#] RPZ action ``*.`` in BIND causes *NODATA* answer
but typically our users configure ``policy.rpz(policy.DENY, ...)``
which replies with *NXDOMAIN*. Good news is that from client's
perspective it does not make a visible difference.
.. [#] Our :func:`policy.DROP` returns *SERVFAIL* answer (for historical reasons).
......
modules/policy/policy.lua
+ 1
1
View file @ 6008a01c
......@@ -382,7 +382,7 @@ local function rpz_parse(action, path)
local action_map = {
-- RPZ Policy Actions
['\0'] = action,
['\1*\0'] = action, -- deviates from RPZ spec
['\1*\0'] = policy.ANSWER({}, true),
['\012rpz-passthru\0'] = policy.PASS, -- the grammar...
['\008rpz-drop\0'] = policy.DROP,
['\012rpz-tcp-only\0'] = policy.TC,
......
modules/policy/policy.rpz.test.lua
+ 1
1
View file @ 6008a01c
......@@ -46,7 +46,7 @@ local function test_rpz()
check_answer('"CNAME ." return NXDOMAIN',
'nxdomain.', kres.type.A, kres.rcode.NXDOMAIN)
check_answer('"CNAME *." return NXDOMAIN',
'nodata.', kres.type.A, kres.rcode.NXDOMAIN)
'nodata.', kres.type.A, kres.rcode.NOERROR)
check_answer('"CNAME rpz-drop." be dropped',
'rpzdrop.', kres.type.A, kres.rcode.SERVFAIL)
check_answer('"CNAME rpz-passthru" return A rrset',
......
deckard @ a90e8dea
Subproject commit 6ed64e906a4766f3c553bdb04d713c5048038962
Subproject commit a90e8deacafc3a66b6109e62986fb2a72ea57c49
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment