From 9f7f25ea5b9949273dafdb7b12e71314e3f80931 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <petr.spacek@nic.cz>
Date: Tue, 10 Apr 2018 09:15:38 +0200
Subject: [PATCH] policy: add REFUSE policy

Fixes: #337
---
 NEWS                      | 4 ++++
 modules/policy/README.rst | 1 +
 modules/policy/policy.lua | 6 ++++++
 3 files changed, 11 insertions(+)

diff --git a/NEWS b/NEWS
index e40aeef70..5f59c1735 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,10 @@ Security
   (!550, !558, security!2, security!4)
 - increase resilience against slow lorris attack (security!5)
 
+New features
+------------
+- new policy.REFUSE to reply REFUSED to clients
+
 Bugfixes
 --------
 - validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
diff --git a/modules/policy/README.rst b/modules/policy/README.rst
index 13c5e25b0..6ac242acc 100644
--- a/modules/policy/README.rst
+++ b/modules/policy/README.rst
@@ -34,6 +34,7 @@ An *action* is function which modifies DNS query. There are several actions avai
 * ``DENY`` - reply NXDOMAIN authoritatively
 * ``DENY_MSG(msg)`` - reply NXDOMAIN authoritatively and add explanatory message to additional section
 * ``DROP`` - terminate query resolution and return SERVFAIL to the requestor
+* ``REFUSE`` - terminate query resolution and return REFUSED to the requestor
 * ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP
 * ``FORWARD(ip)`` - resolve a query via forwarding to an IP while validating and caching locally;
 * ``TLS_FORWARD({{ip, authentication}})`` - resolve a query via TLS connection forwarding to an IP while validating and caching locally;
diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index 954b53347..f053a40ce 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -491,6 +491,12 @@ function policy.DROP(_, _)
 	return kres.FAIL
 end
 
+function policy.REFUSE(_, req)
+	local answer = req.answer
+	answer:rcode(kres.rcode.REFUSED)
+	return kres.DONE
+end
+
 function policy.TC(state, req)
 	local answer = req.answer
 	if answer.max_size ~= 65535 then
-- 
GitLab