modules/policy: DENY home.arpa. and local. domains

- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4 - local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1 Well, it's just an approximation... if the user specifies a forwarding policy, any special names will also get forwarded, even though the RFC says not to. And this code will also reply NXDOMAIN to home.arpa. DS. Some of these DENY rules are perhaps unnecessary, but for now we keep the same approach. For arguments see the MR 855 thread and linked ML.

modules/policy: DENY home.arpa. and local. domains
- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4 - local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1 Well, it's just an approximation... if the user specifies a forwarding policy, any special names will also get forwarded, even though the RFC says not to. And this code will also reply NXDOMAIN to home.arpa. DS. Some of these DENY rules are perhaps unnecessary, but for now we keep the same approach. For arguments see the MR 855 thread and linked ML.
e66466f2 · Vladimír Čunát · Tomas Krizek · f9970004 · e66466f2 · e66466f2
Verified Commit e66466f2 authored 5 years ago by Vladimír Čunát Committed by Tomas Krizek 5 years ago
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ Bugfixes
 Improvements
 ------------
 - add compatibility with (future) libknot 2.9
+- policy: special domains home.arpa. and local. get NXDOMAIN (!855)


 Knot Resolver 4.2.0 (2019-08-05)

--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -744,6 +744,8 @@ local private_zones = {
 	'a.e.f.ip6.arpa.',
 	'b.e.f.ip6.arpa.',
 	'8.b.d.0.1.0.0.2.ip6.arpa.',
+	-- RFC8375
+	'home.arpa.',
 }
 policy.todnames(private_zones)

@@ -768,6 +770,7 @@ policy.special_names = {
 				todname('test.'),
 				todname('onion.'),
 				todname('invalid.'),
+				todname('local.'), -- RFC 8375.4
 			}),
 		count=0
 	},