RPZ qname triggers are always searched even if can be skipped
Not sure if this is a bug or not - but noticed by a customer who reported:
I happen to notice a minor possible glitch in RPZ query handling. When loading an RPZ, the corresponding bit for 'rpzs->have.qname' is always set as the existence of the origin name is regarded as the existence of a QNAME trigger for the root name (.). So the following check in rpz_rewrite_name() is pointless unless 'allowed_zbits' clears some of the bits in case of "qname-wait-recurse yes": zbits = rpz_get_zbits(client, qtype, rpz_type); zbits &= allowed_zbits; if (zbits == 0) return (ISC_R_SUCCESS); Since the root name is never subject to RPZ rewrite, we could actually optimize it a bit by not setting have.qname for the RPZ's origin name. This may be a minor optimization, though, since dns_rpz_find_name() should be relatively cheap, and I guess it's quite unlikely that we use RPZs that don't have any QNAME triggers. So you may or may not want to "fix" it. I primarily checked it for 9.11.3-S2, but I believe it's the same for all recent versions including 9.10.x.
To upload designs, you'll need to enable LFS. More information