Commit c786c578 authored by Diego Fronza's avatar Diego Fronza
Browse files

Added RPZ configuration option "nsdname-wait-recurse"

This new option was added to fill a gap in RPZ configuration
options.

It was possible to instruct BIND wheter NSIP rewritting rules would
apply or not, as long as the required data was already in cache or not,
respectively, by means of the option nsip-wait-recurse.

A value of yes (default) could incur a little processing cost, since
BIND would need to recurse to find NS addresses in case they were not in
the cache.

This behavior could be changed by setting nsip-wait-recurse value to no,
in which case BIND would promptly return some error code if the NS IP addresses
data were not in cache, then BIND would start a recursive query
in background, so future similar requests would have the required data
(NS IPs) in cache, allowing BIND to apply NSIP rules accordingly.

A similar feature wasn't available for NSDNAME triggers, so this commit
adds the option nsdname-wait-recurse to fill this gap, as it was
expected by couple BIND users.
parent be0dc3db
...@@ -2557,6 +2557,13 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, ...@@ -2557,6 +2557,13 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
zones->p.qname_wait_recurse = false; zones->p.qname_wait_recurse = false;
} }
sub_obj = cfg_tuple_get(rpz_obj, "nsdname-wait-recurse");
if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) {
zones->p.nsdname_wait_recurse = true;
} else {
zones->p.nsdname_wait_recurse = false;
}
sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse"); sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse");
if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) { if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) {
zones->p.nsip_wait_recurse = true; zones->p.nsip_wait_recurse = true;
......
...@@ -203,6 +203,7 @@ struct dns_rpz_popt { ...@@ -203,6 +203,7 @@ struct dns_rpz_popt {
bool break_dnssec; bool break_dnssec;
bool qname_wait_recurse; bool qname_wait_recurse;
bool nsip_wait_recurse; bool nsip_wait_recurse;
bool nsdname_wait_recurse;
unsigned int min_ns_labels; unsigned int min_ns_labels;
dns_rpz_num_t num_zones; dns_rpz_num_t num_zones;
}; };
......
...@@ -1736,6 +1736,7 @@ static cfg_tuplefielddef_t rpz_fields[] = { ...@@ -1736,6 +1736,7 @@ static cfg_tuplefielddef_t rpz_fields[] = {
{ "min-update-interval", &cfg_type_duration, 0 }, { "min-update-interval", &cfg_type_duration, 0 },
{ "min-ns-dots", &cfg_type_uint32, 0 }, { "min-ns-dots", &cfg_type_uint32, 0 },
{ "nsip-wait-recurse", &cfg_type_boolean, 0 }, { "nsip-wait-recurse", &cfg_type_boolean, 0 },
{ "nsdname-wait-recurse", &cfg_type_boolean, 0 },
{ "qname-wait-recurse", &cfg_type_boolean, 0 }, { "qname-wait-recurse", &cfg_type_boolean, 0 },
{ "recursive-only", &cfg_type_boolean, 0 }, { "recursive-only", &cfg_type_boolean, 0 },
{ "nsip-enable", &cfg_type_boolean, 0 }, { "nsip-enable", &cfg_type_boolean, 0 },
......
...@@ -2826,7 +2826,10 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, ...@@ -2826,7 +2826,10 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
*/ */
if (rpz_type == DNS_RPZ_TYPE_IP) { if (rpz_type == DNS_RPZ_TYPE_IP) {
result = DNS_R_NXRRSET; result = DNS_R_NXRRSET;
} else if (!client->view->rpzs->p.nsip_wait_recurse) { } else if (!client->view->rpzs->p.nsip_wait_recurse ||
(!client->view->rpzs->p.nsdname_wait_recurse &&
rpz_type == DNS_RPZ_TYPE_NSDNAME))
{
query_rpzfetch(client, name, type); query_rpzfetch(client, name, type);
result = DNS_R_NXRRSET; result = DNS_R_NXRRSET;
} else { } else {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment