diff --git a/CHANGES b/CHANGES
index cad6afeea1..588c9fdea5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4356. [func] Add the ability to specify whether to wait for
+ nameserver addresses to be looked up or not to
+ rpz with a new modifying directive 'nsip-wait-recurse'.
+ [RT #35009]
+
4355. [func] "pkcs11-list" now displays the extractability
attribute of private or secret keys stored in
an HSM, as either "true", "false", or "never"
diff --git a/bin/named/query.c b/bin/named/query.c
index fd6d65cef6..4ce6bf000e 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -4258,6 +4258,49 @@ rpz_get_zbits(ns_client_t *client,
return (zbits);
}
+static void
+query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) {
+ isc_result_t result;
+ isc_sockaddr_t *peeraddr;
+ dns_rdataset_t *tmprdataset;
+ ns_client_t *dummy = NULL;
+ unsigned int options;
+
+ if (client->query.prefetch != NULL)
+ return;
+
+ if (client->recursionquota == NULL) {
+ result = isc_quota_attach(&ns_g_server->recursionquota,
+ &client->recursionquota);
+ if (result == ISC_R_SUCCESS && !client->mortal && !TCP(client))
+ result = ns_client_replace(client);
+ if (result != ISC_R_SUCCESS)
+ return;
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_recursclients);
+ }
+
+ tmprdataset = query_newrdataset(client);
+ if (tmprdataset == NULL)
+ return;
+ if (!TCP(client))
+ peeraddr = &client->peeraddr;
+ else
+ peeraddr = NULL;
+ ns_client_attach(client, &dummy);
+ options = client->query.fetchoptions;
+ result = dns_resolver_createfetch3(client->view->resolver, qname, type,
+ NULL, NULL, NULL, peeraddr,
+ client->message->id, options, 0,
+ NULL, client->task, prefetch_done,
+ client, tmprdataset, NULL,
+ &client->query.prefetch);
+ if (result != ISC_R_SUCCESS) {
+ query_putrdataset(client, &tmprdataset);
+ ns_client_detach(&dummy);
+ }
+}
+
/*
* Get an NS, A, or AAAA rrset related to the response for the client
* to check the contents of that rrset for hits by eligible policy zones.
@@ -4359,6 +4402,9 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
*/
if (rpz_type == DNS_RPZ_TYPE_IP) {
result = DNS_R_NXRRSET;
+ } else if (!client->view->rpzs->p.nsip_wait_recurse) {
+ query_rpzfetch(client, name, type);
+ result = DNS_R_NXRRSET;
} else {
dns_name_copy(name, st->r_name, NULL);
result = query_recurse(client, type, st->r_name,
diff --git a/bin/named/server.c b/bin/named/server.c
index 5918e8643f..4c3ceeb999 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1933,6 +1933,12 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj,
else
new->p.qname_wait_recurse = ISC_FALSE;
+ sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse");
+ if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj))
+ new->p.nsip_wait_recurse = ISC_TRUE;
+ else
+ new->p.nsip_wait_recurse = ISC_FALSE;
+
pview = NULL;
result = dns_viewlist_find(&ns_g_server->viewlist,
view->name, view->rdclass, &pview);
diff --git a/bin/tests/system/rpzrecurse/ans5/ans.pl b/bin/tests/system/rpzrecurse/ans5/ans.pl
new file mode 100644
index 0000000000..3b7ad3a9f4
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ans5/ans.pl
@@ -0,0 +1,81 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5",
+ LocalPort => 5300, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+for (;;) {
+ $sock->recv($buf, 512);
+
+ print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+ my $packet;
+
+ if ($Net::DNS::VERSION > 0.68) {
+ $packet = new Net::DNS::Packet(\$buf, 0);
+ $@ and die $@;
+ } else {
+ my $err;
+ ($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+ $err and die $err;
+ }
+
+ print "REQUEST:\n";
+ $packet->print;
+
+ $packet->header->qr(1);
+
+ my @questions = $packet->question;
+ my $qname = $questions[0]->qname;
+ my $qtype = $questions[0]->qtype;
+
+ my $donotrespond = 0;
+
+ $packet->header->aa(1);
+ if ($qtype eq "A") {
+ $packet->push("answer",
+ new Net::DNS::RR($qname .
+ " 300 A 10.53.0.5"));
+ #} elsif ($qtype eq "AAAA") {
+ #$packet->push("answer",
+ #new Net::DNS::RR($qname .
+ #" 300 AAAA 2001:db8:beef::1"));
+ } elsif ($qtype eq "NS") {
+ $donotrespond = 1;
+ }
+
+ if ($donotrespond == 0) {
+ $sock->send($packet->data);
+ print "RESPONSE:\n";
+ $packet->print;
+ print "\n";
+ } else {
+ print "DROP:\n";
+ }
+}
diff --git a/bin/tests/system/rpzrecurse/clean.sh b/bin/tests/system/rpzrecurse/clean.sh
index 004401b6bb..b7e3c5b00f 100644
--- a/bin/tests/system/rpzrecurse/clean.sh
+++ b/bin/tests/system/rpzrecurse/clean.sh
@@ -15,10 +15,11 @@
# Clean up after rpz tests.
rm -f dig.out.*
-rm -f ns2/named.conf
-rm -f ns2/*.local
-rm -f ns2/*.queries
-rm -f ns2/named.[0-9]*.conf
rm -f ns*/named.lock
rm -f ns*/named.memstats
rm -f ns*/named.run
+rm -f ns2/*.local
+rm -f ns2/*.queries
+rm -f ns2/named.[0-9]*.conf
+rm -f ns2/named.conf
+rm -f ns3/named.conf
diff --git a/bin/tests/system/rpzrecurse/ns3/example.db b/bin/tests/system/rpzrecurse/ns3/example.db
new file mode 100644
index 0000000000..4970f143ad
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/example.db
@@ -0,0 +1,6 @@
+$TTL 0
+@ SOA . . 0 0 0 0 0
+@ NS ns
+ns A 10.53.0.3
+child NS ns.child
+ns.child A 10.53.0.4
diff --git a/bin/tests/system/rpzrecurse/ns3/named1.conf b/bin/tests/system/rpzrecurse/ns3/named1.conf
new file mode 100644
index 0000000000..dabea91624
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/named1.conf
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion yes;
+ response-policy { zone "policy"; };
+};
+
+zone "policy" { type master; file "policy.db"; };
+
+zone "example.tld" { type master; file "example.db"; };
+
+zone "." { type master; file "root.db"; };
diff --git a/bin/tests/system/rpzrecurse/ns3/named2.conf b/bin/tests/system/rpzrecurse/ns3/named2.conf
new file mode 100644
index 0000000000..edaebdd532
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/named2.conf
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion yes;
+ response-policy { zone "policy"; } nsip-wait-recurse no;
+};
+
+zone "policy" { type master; file "policy.db"; };
+
+zone "example.tld" { type master; file "example.db"; };
+
+zone "." { type master; file "root.db"; };
diff --git a/bin/tests/system/rpzrecurse/ns3/policy.db b/bin/tests/system/rpzrecurse/ns3/policy.db
new file mode 100644
index 0000000000..9df59b2ac8
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/policy.db
@@ -0,0 +1,4 @@
+$TTL 0
+@ SOA . . 0 0 0 0 0
+@ NS .
+32.100.0.53.10.rpz-nsip CNAME .
diff --git a/bin/tests/system/rpzrecurse/ns3/root.db b/bin/tests/system/rpzrecurse/ns3/root.db
new file mode 100644
index 0000000000..7a66e24ea1
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns3/root.db
@@ -0,0 +1,6 @@
+$TTL 0
+@ SOA . . 0 0 0 0 0
+@ NS ns
+ns A 10.53.0.3
+foo NS foo.ns5
+ns5.foo A 10.53.0.5
diff --git a/bin/tests/system/rpzrecurse/ns4/child.example.db b/bin/tests/system/rpzrecurse/ns4/child.example.db
new file mode 100644
index 0000000000..1cba37ad5c
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns4/child.example.db
@@ -0,0 +1,7 @@
+$TTL 0
+@ SOA . . 0 0 0 0 0
+@ NS ns
+ns A 10.53.0.4
+foo NS ns.foo
+foo NS ns.foo.
+ns.foo A 10.53.0.5
diff --git a/bin/tests/system/rpzrecurse/ns4/named.conf b/bin/tests/system/rpzrecurse/ns4/named.conf
new file mode 100644
index 0000000000..f555b66d96
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns4/named.conf
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ recursion no;
+};
+
+zone "child.example.tld" { type master; file "child.example.db"; };
diff --git a/bin/tests/system/rpzrecurse/setup.sh b/bin/tests/system/rpzrecurse/setup.sh
index 3a34348e6f..1324942794 100644
--- a/bin/tests/system/rpzrecurse/setup.sh
+++ b/bin/tests/system/rpzrecurse/setup.sh
@@ -19,3 +19,4 @@ SYSTEMTESTTOP=..
perl testgen.pl
cp -f ns2/named.default.conf ns2/named.conf
+cp -f ns3/named1.conf ns3/named.conf
diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh
index eea31d0b40..ca4841c4ec 100644
--- a/bin/tests/system/rpzrecurse/tests.sh
+++ b/bin/tests/system/rpzrecurse/tests.sh
@@ -310,4 +310,30 @@ grep "status: NOERROR" dig.out.${t}.2 > /dev/null || {
status=1
}
+t=`expr $t + 1`
+echo "I:checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)"
+echo "I:timing 'nsip-wait-recurse yes' (default)"
+ret=0
+t1=`$PERL -e 'print time()."\n";'`
+$DIG -p 5300 @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t
+t2=`$PERL -e 'print time()."\n";'`
+p1=`expr $t2 - $t1`
+echo "I:elasped time $p1 seconds"
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 flush
+cp -f ns3/named2.conf ns3/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload > /dev/null
+
+echo "I:timing 'nsip-wait-recurse no'"
+t3=`$PERL -e 'print time()."\n";'`
+$DIG -p 5300 @10.53.0.3 foo.child.example.tld a > dig.out.no.$t
+t4=`$PERL -e 'print time()."\n";'`
+p2=`expr $t4 - $t3`
+echo "I:elasped time $p2 seconds"
+
+if test $p1 -le $p2; then ret=1; fi
+if test $ret != 0; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+
exit $status
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 9a5467bc0e..089c8def83 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -4669,6 +4669,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
max-policy-ttl number
break-dnssec yes_or_no
min-ns-dots number
+ nsip-wait-recurse yes_or_no
qname-wait-recurse yes_or_no
automatic-interface-scan yes_or_no
;
@@ -10057,12 +10058,32 @@ deny-answer-aliases { "example.net"; };
RPZ-NSIP
- NSIP triggers are encoded like IP triggers except as
+ NSIP triggers match the IP addresses of authoritative
+ servers. They are enncoded like IP triggers, except as
subdomains of rpz-nsip.
NSDNAME and NSIP triggers are checked only for names with at
least min-ns-dots dots.
- The default value of min-ns-dots is 1 to
- exclude top level domains.
+ The default value of min-ns-dots is
+ 1, to exclude top level domains.
+
+
+ If a name server's IP address is not yet known,
+ named will recursively look up
+ the IP address before applying an RPZ-NSIP rule.
+ This can cause a processing delay. To speed up
+ processing at the cost of precision, the
+ nsip-wait-recurse option
+ can be used: when set to no,
+ RPZ-NSIP rules will only be applied when a name
+ servers's IP address has already been looked up and
+ cached. If a server's IP address is not in the
+ cache, then the RPZ-NSIP rule will be ignored,
+ but the address will be looked up in the
+ background, and the rule will be applied
+ to subsequent queries. The default is
+ yes, meaning RPZ-NSIP
+ rules should always be applied even if an
+ address needs to be looked up first.
diff --git a/doc/misc/options b/doc/misc/options
index 318dcc3694..8be73a42b0 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -156,15 +156,15 @@ options {
fetches-per-server [ ( drop | fail ) ];
fetches-per-zone [ ( drop | fail ) ];
files ( unlimited | default | );
- filter-aaaa { ; ... }; // not configured
- filter-aaaa-on-v4 ( break-dnssec | ); // not configured
- filter-aaaa-on-v6 ( break-dnssec | ); // not configured
+ filter-aaaa { ; ... };
+ filter-aaaa-on-v4 ( break-dnssec | );
+ filter-aaaa-on-v6 ( break-dnssec | );
flush-zones-on-shutdown ;
forward ( first | only );
forwarders [ port ] [ dscp ] { (
| ) [ port ] [ dscp ]; ... };
- geoip-directory ( | none ); // not configured
- geoip-use-ecs ( | none ); // not configured
+ geoip-directory ( | none );
+ geoip-use-ecs ;
has-old-clients ; // obsolete
heartbeat-interval ;
host-statistics ; // not implemented
@@ -267,13 +267,13 @@ options {
require-server-cookie ;
reserved-sockets ;
resolver-query-timeout ;
- response-policy { zone [ policy ( given | disabled
- | passthru | no-op | drop | tcp-only | nxdomain | nodata |
- cname ) ] [ recursive-only ] [ log
- ] [ max-policy-ttl ]; ... } [
- recursive-only ] [ break-dnssec ] [
- max-policy-ttl ] [ min-ns-dots ] [
- qname-wait-recurse ];
+ response-policy { zone [ log ] [
+ max-policy-ttl ] [ policy ( given | disabled |
+ passthru | no-op | drop | tcp-only | nxdomain | nodata | cname
+ ) ] [ recursive-only ]; ... } [
+ break-dnssec ] [ max-policy-ttl ] [
+ min-ns-dots ] [ nsip-wait-recurse ] [
+ qname-wait-recurse ] [ recursive-only ];
rfc2308-type1 ; // not yet implemented
root-delegation-only [ exclude { ; ... } ];
rrset-order { [ class ] [ type ] [ name
@@ -452,9 +452,9 @@ view [ ] {
fetch-quota-params ;
fetches-per-server [ ( drop | fail ) ];
fetches-per-zone [ ( drop | fail ) ];
- filter-aaaa { ; ... }; // not configured
- filter-aaaa-on-v4 ( break-dnssec | ); // not configured
- filter-aaaa-on-v6 ( break-dnssec | ); // not configured
+ filter-aaaa { ; ... };
+ filter-aaaa-on-v4 ( break-dnssec | );
+ filter-aaaa-on-v6 ( break-dnssec | );
forward ( first | only );
forwarders [ port ] [ dscp ] { (
| ) [ port ] [ dscp ]; ... };
@@ -542,13 +542,13 @@ view [ ] {
request-sit ; // obsolete
require-server-cookie ;
resolver-query-timeout ;
- response-policy { zone [ policy ( given | disabled
- | passthru | no-op | drop | tcp-only | nxdomain | nodata |
- cname ) ] [ recursive-only ] [ log
- ] [ max-policy-ttl ]; ... } [
- recursive-only ] [ break-dnssec ] [
- max-policy-ttl ] [ min-ns-dots ] [
- qname-wait-recurse ];
+ response-policy { zone [ log ] [
+ max-policy-ttl ] [ policy ( given | disabled |
+ passthru | no-op | drop | tcp-only | nxdomain | nodata | cname
+ ) ] [ recursive-only ]; ... } [
+ break-dnssec ] [ max-policy-ttl ] [
+ min-ns-dots ] [ nsip-wait-recurse ] [
+ qname-wait-recurse ] [ recursive-only ];
rfc2308-type1 ; // not yet implemented
root-delegation-only [ exclude { ; ... } ];
rrset-order { [ class ] [ type ] [ name
diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h
index d61730566b..e8655b75f1 100644
--- a/lib/dns/include/dns/rpz.h
+++ b/lib/dns/include/dns/rpz.h
@@ -176,6 +176,7 @@ struct dns_rpz_popt {
dns_rpz_zbits_t no_log;
isc_boolean_t break_dnssec;
isc_boolean_t qname_wait_recurse;
+ isc_boolean_t nsip_wait_recurse;
unsigned int min_ns_labels;
dns_rpz_num_t num_zones;
};
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index bd9d6703dd..9bc8495ecf 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1440,10 +1440,10 @@ static cfg_type_t cfg_type_rpz_policy = {
};
static cfg_tuplefielddef_t rpz_zone_fields[] = {
{ "zone name", &cfg_type_rpz_zone, 0 },
- { "policy", &cfg_type_rpz_policy, 0 },
- { "recursive-only", &cfg_type_boolean, 0 },
{ "log", &cfg_type_boolean, 0 },
{ "max-policy-ttl", &cfg_type_uint32, 0 },
+ { "policy", &cfg_type_rpz_policy, 0 },
+ { "recursive-only", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_rpz_tuple = {
@@ -1458,11 +1458,12 @@ static cfg_type_t cfg_type_rpz_list = {
};
static cfg_tuplefielddef_t rpz_fields[] = {
{ "zone list", &cfg_type_rpz_list, 0 },
- { "recursive-only", &cfg_type_boolean, 0 },
{ "break-dnssec", &cfg_type_boolean, 0 },
{ "max-policy-ttl", &cfg_type_uint32, 0 },
{ "min-ns-dots", &cfg_type_uint32, 0 },
+ { "nsip-wait-recurse", &cfg_type_boolean, 0 },
{ "qname-wait-recurse", &cfg_type_boolean, 0 },
+ { "recursive-only", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_rpz = {