Commit f33abec8 authored by Tinderbox User's avatar Tinderbox User

regen master

parent f89adb2c
......@@ -2548,6 +2548,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
[<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>]
[<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
[<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>]
[<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>]
[<span class="optional"> automatic-interface-scan <em class="replaceable"><code>yes_or_no</code></em> </span>]
; </span>]
......@@ -6986,14 +6987,36 @@ deny-answer-aliases { "example.net"; };
policy records.
</p></dd>
<dt><span class="term"><span class="command"><strong>RPZ-NSIP</strong></span></span></dt>
<dd><p>
NSIP triggers are encoded like IP triggers except as
<dd>
<p>
NSIP triggers match the IP addresses of authoritative
servers. They are enncoded like IP triggers, except as
subdomains of <span class="command"><strong>rpz-nsip</strong></span>.
NSDNAME and NSIP triggers are checked only for names with at
least <span class="command"><strong>min-ns-dots</strong></span> dots.
The default value of <span class="command"><strong>min-ns-dots</strong></span> is 1 to
exclude top level domains.
</p></dd>
The default value of <span class="command"><strong>min-ns-dots</strong></span> is
1, to exclude top level domains.
</p>
<p>
If a name server's IP address is not yet known,
<span class="command"><strong>named</strong></span> will recursively look up
the IP address before applying an RPZ-NSIP rule.
This can cause a processing delay. To speed up
processing at the cost of precision, the
<span class="command"><strong>nsip-wait-recurse</strong></span> option
can be used: when set to <strong class="userinput"><code>no</code></strong>,
RPZ-NSIP rules will only be applied when a name
servers's IP address has already been looked up and
cached. If a server's IP address is not in the
cache, then the RPZ-NSIP rule will be ignored,
but the address will be looked up in the
background, and the rule will be applied
to subsequent queries. The default is
<strong class="userinput"><code>yes</code></strong>, meaning RPZ-NSIP
rules should always be applied even if an
address needs to be looked up first.
</p>
</dd>
</dl></div>
<p>
</p>
......
......@@ -580,6 +580,18 @@
Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
</p></li>
<li class="listitem"><p>
A new <code class="option">nsip-wait-recurse</code> directive has been
added to RPZ, specifying whether to look up unknown name server
IP addresses and wait for a response before applying RPZ-NSIP rules.
The default is <strong class="userinput"><code>yes</code></strong>. If set to
<strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
apply RPZ-NSIP rules to servers whose addresses are already cached.
The addresses will be looked up in the background so the rule can
be applied on subsequent queries. This improves performance when
the cache is cold, at the cost of temporary imprecision in applying
policy directives. [RT #35009]
</p></li>
<li class="listitem"><p>
Within the <code class="option">response-policy</code> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
......@@ -598,10 +610,17 @@
Zone transfers now use smaller message sizes to improve
message compression. This results in reduced network usage.
</p></li>
<li class="listitem"><p>
<li class="listitem">
<p>
Added support for the AVC resource record type (Application
Visibility and Control).
</p></li>
</p>
<p>
Changed <span class="command"><strong>rndc reconfig</strong></span> behaviour so that newly
added zones are loaded asynchronously and the loading does not
block the server.
</p>
</li>
</ul></div>
</div>
<div class="section">
......
......@@ -541,6 +541,18 @@
Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
</p></li>
<li class="listitem"><p>
A new <code class="option">nsip-wait-recurse</code> directive has been
added to RPZ, specifying whether to look up unknown name server
IP addresses and wait for a response before applying RPZ-NSIP rules.
The default is <strong class="userinput"><code>yes</code></strong>. If set to
<strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
apply RPZ-NSIP rules to servers whose addresses are already cached.
The addresses will be looked up in the background so the rule can
be applied on subsequent queries. This improves performance when
the cache is cold, at the cost of temporary imprecision in applying
policy directives. [RT #35009]
</p></li>
<li class="listitem"><p>
Within the <code class="option">response-policy</code> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
......@@ -559,10 +571,17 @@
Zone transfers now use smaller message sizes to improve
message compression. This results in reduced network usage.
</p></li>
<li class="listitem"><p>
<li class="listitem">
<p>
Added support for the AVC resource record type (Application
Visibility and Control).
</p></li>
</p>
<p>
Changed <span class="command"><strong>rndc reconfig</strong></span> behaviour so that newly
added zones are loaded asynchronously and the loading does not
block the server.
</p>
</li>
</ul></div>
</div>
<div class="section">
......
......@@ -156,15 +156,15 @@ options {
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
files ( unlimited | default | <sizeval> );
filter-aaaa { <address_match_element>; ... };
filter-aaaa-on-v4 ( break-dnssec | <boolean> );
filter-aaaa-on-v6 ( break-dnssec | <boolean> );
filter-aaaa { <address_match_element>; ... }; // not configured
filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
flush-zones-on-shutdown <boolean>;
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>;
geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs ( <quoted_string> | none ); // not configured
has-old-clients <boolean>; // obsolete
heartbeat-interval <integer>;
host-statistics <boolean>; // not implemented
......@@ -452,9 +452,9 @@ view <string> [ <class> ] {
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
filter-aaaa { <address_match_element>; ... };
filter-aaaa-on-v4 ( break-dnssec | <boolean> );
filter-aaaa-on-v6 ( break-dnssec | <boolean> );
filter-aaaa { <address_match_element>; ... }; // not configured
filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment