4356. [func] Add the ability to specify whether to wait for

nameserver addresses to be looked up or not to
                        rpz with a new modifying directive 'nsip-wait-recurse'.                         [RT #35009]

CHANGES

@@ -1,3 +1,8 @@
+4356.	[func]		Add the ability to specify whether to wait for
+			nameserver addresses to be looked up or not to
+			rpz with a new modifying directive 'nsip-wait-recurse'.
+			[RT #35009]
+
 4355.	[func]		"pkcs11-list" now displays the extractability
 			attribute of private or secret keys stored in
 			an HSM, as either "true", "false", or "never"

bin/named/query.c

@@ -4258,6 +4258,49 @@ rpz_get_zbits(ns_client_t *client,
 	return (zbits);
 }
 
+static void
+query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) {
+	isc_result_t result;
+	isc_sockaddr_t *peeraddr;
+	dns_rdataset_t *tmprdataset;
+	ns_client_t *dummy = NULL;
+	unsigned int options;
+
+	if (client->query.prefetch != NULL)
+		return;
+
+	if (client->recursionquota == NULL) {
+		result = isc_quota_attach(&ns_g_server->recursionquota,
+					  &client->recursionquota);
+		if (result == ISC_R_SUCCESS && !client->mortal && !TCP(client))
+			result = ns_client_replace(client);
+		if (result != ISC_R_SUCCESS)
+			return;
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_recursclients);
+	}
+
+	tmprdataset = query_newrdataset(client);
+	if (tmprdataset == NULL)
+		return;
+	if (!TCP(client))
+		peeraddr = &client->peeraddr;
+	else
+		peeraddr = NULL;
+	ns_client_attach(client, &dummy);
+	options = client->query.fetchoptions;
+	result = dns_resolver_createfetch3(client->view->resolver, qname, type,
+					   NULL, NULL, NULL, peeraddr,
+					   client->message->id, options, 0,
+					   NULL, client->task, prefetch_done,
+					   client, tmprdataset, NULL,
+					   &client->query.prefetch);
+	if (result != ISC_R_SUCCESS) {
+		query_putrdataset(client, &tmprdataset);
+		ns_client_detach(&dummy);
+	}
+}
+
 /*
  * Get an NS, A, or AAAA rrset related to the response for the client
  * to check the contents of that rrset for hits by eligible policy zones.
@@ -4359,6 +4402,9 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
 		 */
 		if (rpz_type == DNS_RPZ_TYPE_IP) {
 			result = DNS_R_NXRRSET;
+		} else if (!client->view->rpzs->p.nsip_wait_recurse) {
+			query_rpzfetch(client, name, type);
+			result = DNS_R_NXRRSET;
 		} else {
 			dns_name_copy(name, st->r_name, NULL);
 			result = query_recurse(client, type, st->r_name,

bin/named/server.c

@@ -1933,6 +1933,12 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
 	else
 		new->p.qname_wait_recurse = ISC_FALSE;
 
+	sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse");
+	if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj))
+		new->p.nsip_wait_recurse = ISC_TRUE;
+	else
+		new->p.nsip_wait_recurse = ISC_FALSE;
+
 	pview = NULL;
 	result = dns_viewlist_find(&ns_g_server->viewlist,
 				   view->name, view->rdclass, &pview);

bin/tests/system/rpzrecurse/ans5/ans.pl

@@ -0,0 +1,81 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5",
+   LocalPort => 5300, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+for (;;) {
+	$sock->recv($buf, 512);
+
+	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+	my $packet;
+
+	if ($Net::DNS::VERSION > 0.68) {
+		$packet = new Net::DNS::Packet(\$buf, 0);
+		$@ and die $@;
+	} else {
+		my $err;
+		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+		$err and die $err;
+	}
+
+	print "REQUEST:\n";
+	$packet->print;
+
+	$packet->header->qr(1);
+
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
+
+	my $donotrespond = 0;
+
+	$packet->header->aa(1);
+	if ($qtype eq "A") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+					       " 300 A 10.53.0.5"));
+	#} elsif ($qtype eq "AAAA") {
+		#$packet->push("answer",
+			      #new Net::DNS::RR($qname .
+					#" 300 AAAA 2001:db8:beef::1"));
+	} elsif ($qtype eq "NS") {
+		$donotrespond = 1;
+	}
+
+	if ($donotrespond == 0) {
+		$sock->send($packet->data);
+		print "RESPONSE:\n";
+		$packet->print;
+		print "\n";
+	} else {
+		print "DROP:\n";
+	}
+}

bin/tests/system/rpzrecurse/clean.sh

@@ -15,10 +15,11 @@
 # Clean up after rpz tests.
 
 rm -f dig.out.*
-rm -f ns2/named.conf
-rm -f ns2/*.local
-rm -f ns2/*.queries
-rm -f ns2/named.[0-9]*.conf
 rm -f ns*/named.lock
 rm -f ns*/named.memstats
 rm -f ns*/named.run
+rm -f ns2/*.local
+rm -f ns2/*.queries
+rm -f ns2/named.[0-9]*.conf
+rm -f ns2/named.conf
+rm -f ns3/named.conf

bin/tests/system/rpzrecurse/ns3/example.db

@@ -0,0 +1,6 @@
+$TTL 0
+@			SOA	. . 0 0 0 0 0
+@			NS	ns
+ns			A	10.53.0.3
+child			NS	ns.child
+ns.child		A	10.53.0.4

bin/tests/system/rpzrecurse/ns3/named1.conf

@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+        inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	response-policy { zone "policy"; };
+};
+
+zone "policy" { type master; file "policy.db"; };
+
+zone "example.tld" { type master; file "example.db"; };
+
+zone "." { type master; file "root.db"; };

bin/tests/system/rpzrecurse/ns3/named2.conf

@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+        inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	response-policy { zone "policy"; } nsip-wait-recurse no;
+};
+
+zone "policy" { type master; file "policy.db"; };
+
+zone "example.tld" { type master; file "example.db"; };
+
+zone "." { type master; file "root.db"; };

bin/tests/system/rpzrecurse/ns3/policy.db

@@ -0,0 +1,4 @@
+$TTL 0
+@			SOA	. . 0 0 0 0 0
+@			NS	.
+32.100.0.53.10.rpz-nsip	CNAME	.

bin/tests/system/rpzrecurse/ns3/root.db

@@ -0,0 +1,6 @@
+$TTL 0
+@			SOA	. . 0 0 0 0 0
+@			NS	ns
+ns			A	10.53.0.3
+foo			NS	foo.ns5
+ns5.foo			A	10.53.0.5

bin/tests/system/rpzrecurse/ns4/child.example.db

@@ -0,0 +1,7 @@
+$TTL 0
+@			SOA	. . 0 0 0 0 0
+@			NS	ns
+ns			A	10.53.0.4
+foo			NS	ns.foo
+foo			NS	ns.foo.
+ns.foo			A	10.53.0.5

bin/tests/system/rpzrecurse/ns4/named.conf

@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+};
+
+zone "child.example.tld" { type master; file "child.example.db"; };

bin/tests/system/rpzrecurse/setup.sh

@@ -19,3 +19,4 @@ SYSTEMTESTTOP=..
 
 perl testgen.pl
 cp -f ns2/named.default.conf ns2/named.conf
+cp -f ns3/named1.conf ns3/named.conf

bin/tests/system/rpzrecurse/tests.sh

@@ -310,4 +310,30 @@ grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
     status=1
 }
 
+t=`expr $t + 1`
+echo "I:checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
+echo "I:timing 'nsip-wait-recurse yes' (default)"
+ret=0
+t1=`$PERL -e 'print time()."\n";'`
+$DIG -p 5300 @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
+t2=`$PERL -e 'print time()."\n";'`
+p1=`expr $t2 - $t1`
+echo "I:elasped time $p1 seconds"
+
+$RNDC  -c ../common/rndc.conf -s 10.53.0.3 -p 9953 flush
+cp -f ns3/named2.conf ns3/named.conf
+$RNDC  -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload > /dev/null
+
+echo "I:timing 'nsip-wait-recurse no'"
+t3=`$PERL -e 'print time()."\n";'`
+$DIG -p 5300 @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
+t4=`$PERL -e 'print time()."\n";'`
+p2=`expr $t4 - $t3`
+echo "I:elasped time $p2 seconds"
+
+if test $p1 -le $p2; then ret=1; fi
+if test $ret != 0; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+
 exit $status

doc/arm/Bv9ARM-book.xml

@@ -4669,6 +4669,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
       <optional> max-policy-ttl <replaceable>number</replaceable> </optional>
       <optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional>
       <optional> min-ns-dots <replaceable>number</replaceable> </optional>
+      <optional> nsip-wait-recurse <replaceable>yes_or_no</replaceable> </optional>
       <optional> qname-wait-recurse <replaceable>yes_or_no</replaceable> </optional>
       <optional> automatic-interface-scan <replaceable>yes_or_no</replaceable> </optional>
     ; </optional>
@@ -10057,12 +10058,32 @@ deny-answer-aliases { "example.net"; };
 		<term><command>RPZ-NSIP</command></term>
 		<listitem>
 		  <para>
-		    NSIP triggers are encoded like IP triggers except as
+		    NSIP triggers match the IP addresses of authoritative
+		    servers.  They are enncoded like IP triggers, except as
 		    subdomains of <command>rpz-nsip</command>.
 		    NSDNAME and NSIP triggers are checked only for names with at
 		    least <command>min-ns-dots</command> dots.
-		    The default value of <command>min-ns-dots</command> is 1 to
-		    exclude top level domains.
+		    The default value of <command>min-ns-dots</command> is
+		    1, to exclude top level domains.
+		  </para>
+		  <para>
+		    If a name server's IP address is not yet known,
+		    <command>named</command> will recursively look up
+		    the IP address before applying an RPZ-NSIP rule.
+		    This can cause a processing delay. To speed up
+		    processing at the cost of precision, the
+		    <command>nsip-wait-recurse</command> option
+		    can be used: when set to <userinput>no</userinput>,
+		    RPZ-NSIP rules will only be applied when a name
+		    servers's IP address has already been looked up and
+		    cached.  If a server's IP address is not in the
+		    cache, then the RPZ-NSIP rule will be ignored,
+		    but the address will be looked up in the
+		    background, and the rule will be applied
+		    to subsequent queries.  The default is
+		    <userinput>yes</userinput>, meaning RPZ-NSIP
+		    rules should always be applied even if an
+		    address needs to be looked up first.
 		  </para>
 		</listitem>
 	      </varlistentry>

doc/misc/options

@@ -156,15 +156,15 @@ options {
         fetches-per-server <integer> [ ( drop | fail ) ];
         fetches-per-zone <integer> [ ( drop | fail ) ];
         files ( unlimited | default | <sizeval> );
-        filter-aaaa { <address_match_element>; ... }; // not configured
-        filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
-        filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
+        filter-aaaa { <address_match_element>; ... };
+        filter-aaaa-on-v4 ( break-dnssec | <boolean> );
+        filter-aaaa-on-v6 ( break-dnssec | <boolean> );
         flush-zones-on-shutdown <boolean>;
         forward ( first | only );
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
-        geoip-directory ( <quoted_string> | none ); // not configured
-        geoip-use-ecs ( <quoted_string> | none ); // not configured
+        geoip-directory ( <quoted_string> | none );
+        geoip-use-ecs <boolean>;
         has-old-clients <boolean>; // obsolete
         heartbeat-interval <integer>;
         host-statistics <boolean>; // not implemented
@@ -267,13 +267,13 @@ options {
         require-server-cookie <boolean>;
         reserved-sockets <integer>;
         resolver-query-timeout <integer>;
-        response-policy { zone <quoted_string> [ policy ( given | disabled
-            | passthru | no-op | drop | tcp-only | nxdomain | nodata |
-            cname <quoted_string> ) ] [ recursive-only <boolean> ] [ log
-            <boolean> ] [ max-policy-ttl <integer> ]; ... } [
-            recursive-only <boolean> ] [ break-dnssec <boolean> ] [
-            max-policy-ttl <integer> ] [ min-ns-dots <integer> ] [
-            qname-wait-recurse <boolean> ];
+        response-policy { zone <quoted_string> [ log <boolean> ] [
+            max-policy-ttl <integer> ] [ policy ( given | disabled |
+            passthru | no-op | drop | tcp-only | nxdomain | nodata | cname
+            <quoted_string> ) ] [ recursive-only <boolean> ]; ... } [
+            break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
+            min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
+            qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
@@ -452,9 +452,9 @@ view <string> [ <class> ] {
         fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
         fetches-per-server <integer> [ ( drop | fail ) ];
         fetches-per-zone <integer> [ ( drop | fail ) ];
-        filter-aaaa { <address_match_element>; ... }; // not configured
-        filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
-        filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
+        filter-aaaa { <address_match_element>; ... };
+        filter-aaaa-on-v4 ( break-dnssec | <boolean> );
+        filter-aaaa-on-v6 ( break-dnssec | <boolean> );
         forward ( first | only );
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
@@ -542,13 +542,13 @@ view <string> [ <class> ] {
         request-sit <boolean>; // obsolete
         require-server-cookie <boolean>;
         resolver-query-timeout <integer>;
-        response-policy { zone <quoted_string> [ policy ( given | disabled
-            | passthru | no-op | drop | tcp-only | nxdomain | nodata |
-            cname <quoted_string> ) ] [ recursive-only <boolean> ] [ log
-            <boolean> ] [ max-policy-ttl <integer> ]; ... } [
-            recursive-only <boolean> ] [ break-dnssec <boolean> ] [
-            max-policy-ttl <integer> ] [ min-ns-dots <integer> ] [
-            qname-wait-recurse <boolean> ];
+        response-policy { zone <quoted_string> [ log <boolean> ] [
+            max-policy-ttl <integer> ] [ policy ( given | disabled |
+            passthru | no-op | drop | tcp-only | nxdomain | nodata | cname
+            <quoted_string> ) ] [ recursive-only <boolean> ]; ... } [
+            break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
+            min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
+            qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name

lib/dns/include/dns/rpz.h

@@ -176,6 +176,7 @@ struct dns_rpz_popt {
 	dns_rpz_zbits_t	    no_log;
 	isc_boolean_t	    break_dnssec;
 	isc_boolean_t	    qname_wait_recurse;
+	isc_boolean_t	    nsip_wait_recurse;
 	unsigned int	    min_ns_labels;
 	dns_rpz_num_t	    num_zones;
 };

lib/isccfg/namedconf.c

@@ -1440,10 +1440,10 @@ static cfg_type_t cfg_type_rpz_policy = {
 };
 static cfg_tuplefielddef_t rpz_zone_fields[] = {
 	{ "zone name", &cfg_type_rpz_zone, 0 },
-	{ "policy", &cfg_type_rpz_policy, 0 },
-	{ "recursive-only", &cfg_type_boolean, 0 },
 	{ "log", &cfg_type_boolean, 0 },
 	{ "max-policy-ttl", &cfg_type_uint32, 0 },
+	{ "policy", &cfg_type_rpz_policy, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_rpz_tuple = {
@@ -1458,11 +1458,12 @@ static cfg_type_t cfg_type_rpz_list = {
 };
 static cfg_tuplefielddef_t rpz_fields[] = {
 	{ "zone list", &cfg_type_rpz_list, 0 },
-	{ "recursive-only", &cfg_type_boolean, 0 },
 	{ "break-dnssec", &cfg_type_boolean, 0 },
 	{ "max-policy-ttl", &cfg_type_uint32, 0 },
 	{ "min-ns-dots", &cfg_type_uint32, 0 },
+	{ "nsip-wait-recurse", &cfg_type_boolean, 0 },
 	{ "qname-wait-recurse", &cfg_type_boolean, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_rpz = {