Commit 57dedab3 authored by Evan Hunt's avatar Evan Hunt

Merge branch 'each-dead-code-cleanup' into 'master'

remove dead RPZ code

See merge request !1392
parents 710a3aaf 7c13f177
Pipeline #9030 passed with stages
in 57 seconds
......@@ -3668,40 +3668,7 @@ rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name,
(st->m.type == rpz_type &&
0 >= dns_name_compare(p_name, st->p_name))))
continue;
#if 0
/*
* This code would block a customer reported information
* leak of rpz rules by rewriting requests in the
* rpz-ip, rpz-nsip, rpz-nsdname,and rpz-passthru TLDs.
* Without this code, a bad guy could request
* 24.0.3.2.10.rpz-ip. to find the policy rule for
* 10.2.3.0/14. It is an insignificant leak and this
* code is not worth its cost, because the bad guy
* could publish "evil.com A 10.2.3.4" and request
* evil.com to get the same information.
* Keep code with "#if 0" in case customer demand
* is irresistible.
*
* We have the less frequent case of a triggered
* policy. Check that we have not trigger on one
* of the pretend RPZ TLDs.
* This test would make it impossible to rewrite
* names in TLDs that start with "rpz-" should
* ICANN ever allow such TLDs.
*/
unsigned int labels;
labels = dns_name_countlabels(trig_name);
if (labels >= 2) {
dns_label_t label;
dns_name_getlabel(trig_name, labels-2, &label);
if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 &&
strncasecmp((const char *)label.base+1,
DNS_RPZ_PREFIX,
sizeof(DNS_RPZ_PREFIX)-1) == 0)
continue;
}
#endif
if (rpz->policy != DNS_RPZ_POLICY_DISABLED) {
CTRACE(ISC_LOG_DEBUG(3),
"rpz_rewrite_name: rpz_save_p");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment