From 08e36aa5a5c7697a839f83831fccf8fb3f792848 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 5 May 2016 16:29:05 +1000 Subject: [PATCH] 4356. [func] Add the ability to specify whether to wait for nameserver addresses to be looked up or not to rpz with a new modifying directive 'nsip-wait-recurse'. [RT #35009] --- CHANGES | 5 ++ bin/named/query.c | 46 +++++++++++ bin/named/server.c | 6 ++ bin/tests/system/rpzrecurse/ans5/ans.pl | 81 +++++++++++++++++++ bin/tests/system/rpzrecurse/clean.sh | 9 ++- bin/tests/system/rpzrecurse/ns3/example.db | 6 ++ bin/tests/system/rpzrecurse/ns3/named1.conf | 39 +++++++++ bin/tests/system/rpzrecurse/ns3/named2.conf | 39 +++++++++ bin/tests/system/rpzrecurse/ns3/policy.db | 4 + bin/tests/system/rpzrecurse/ns3/root.db | 6 ++ .../system/rpzrecurse/ns4/child.example.db | 7 ++ bin/tests/system/rpzrecurse/ns4/named.conf | 30 +++++++ bin/tests/system/rpzrecurse/setup.sh | 1 + bin/tests/system/rpzrecurse/tests.sh | 26 ++++++ doc/arm/Bv9ARM-book.xml | 27 ++++++- doc/misc/options | 44 +++++----- lib/dns/include/dns/rpz.h | 1 + lib/isccfg/namedconf.c | 7 +- 18 files changed, 352 insertions(+), 32 deletions(-) create mode 100644 bin/tests/system/rpzrecurse/ans5/ans.pl create mode 100644 bin/tests/system/rpzrecurse/ns3/example.db create mode 100644 bin/tests/system/rpzrecurse/ns3/named1.conf create mode 100644 bin/tests/system/rpzrecurse/ns3/named2.conf create mode 100644 bin/tests/system/rpzrecurse/ns3/policy.db create mode 100644 bin/tests/system/rpzrecurse/ns3/root.db create mode 100644 bin/tests/system/rpzrecurse/ns4/child.example.db create mode 100644 bin/tests/system/rpzrecurse/ns4/named.conf diff --git a/CHANGES b/CHANGES index cad6afeea1..588c9fdea5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4356. [func] Add the ability to specify whether to wait for + nameserver addresses to be looked up or not to + rpz with a new modifying directive 'nsip-wait-recurse'. + [RT #35009] + 4355. [func] "pkcs11-list" now displays the extractability attribute of private or secret keys stored in an HSM, as either "true", "false", or "never" diff --git a/bin/named/query.c b/bin/named/query.c index fd6d65cef6..4ce6bf000e 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -4258,6 +4258,49 @@ rpz_get_zbits(ns_client_t *client, return (zbits); } +static void +query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) { + isc_result_t result; + isc_sockaddr_t *peeraddr; + dns_rdataset_t *tmprdataset; + ns_client_t *dummy = NULL; + unsigned int options; + + if (client->query.prefetch != NULL) + return; + + if (client->recursionquota == NULL) { + result = isc_quota_attach(&ns_g_server->recursionquota, + &client->recursionquota); + if (result == ISC_R_SUCCESS && !client->mortal && !TCP(client)) + result = ns_client_replace(client); + if (result != ISC_R_SUCCESS) + return; + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_recursclients); + } + + tmprdataset = query_newrdataset(client); + if (tmprdataset == NULL) + return; + if (!TCP(client)) + peeraddr = &client->peeraddr; + else + peeraddr = NULL; + ns_client_attach(client, &dummy); + options = client->query.fetchoptions; + result = dns_resolver_createfetch3(client->view->resolver, qname, type, + NULL, NULL, NULL, peeraddr, + client->message->id, options, 0, + NULL, client->task, prefetch_done, + client, tmprdataset, NULL, + &client->query.prefetch); + if (result != ISC_R_SUCCESS) { + query_putrdataset(client, &tmprdataset); + ns_client_detach(&dummy); + } +} + /* * Get an NS, A, or AAAA rrset related to the response for the client * to check the contents of that rrset for hits by eligible policy zones. @@ -4359,6 +4402,9 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, */ if (rpz_type == DNS_RPZ_TYPE_IP) { result = DNS_R_NXRRSET; + } else if (!client->view->rpzs->p.nsip_wait_recurse) { + query_rpzfetch(client, name, type); + result = DNS_R_NXRRSET; } else { dns_name_copy(name, st->r_name, NULL); result = query_recurse(client, type, st->r_name, diff --git a/bin/named/server.c b/bin/named/server.c index 5918e8643f..4c3ceeb999 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1933,6 +1933,12 @@ configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj, else new->p.qname_wait_recurse = ISC_FALSE; + sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse"); + if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) + new->p.nsip_wait_recurse = ISC_TRUE; + else + new->p.nsip_wait_recurse = ISC_FALSE; + pview = NULL; result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, &pview); diff --git a/bin/tests/system/rpzrecurse/ans5/ans.pl b/bin/tests/system/rpzrecurse/ans5/ans.pl new file mode 100644 index 0000000000..3b7ad3a9f4 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ans5/ans.pl @@ -0,0 +1,81 @@ +#!/usr/bin/perl -w +# +# Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +use IO::File; +use IO::Socket; +use Net::DNS; +use Net::DNS::Packet; + +my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5", + LocalPort => 5300, Proto => "udp") or die "$!"; + +my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; +print $pidf "$$\n" or die "cannot write pid file: $!"; +$pidf->close or die "cannot close pid file: $!"; +sub rmpid { unlink "ans.pid"; exit 1; }; + +$SIG{INT} = \&rmpid; +$SIG{TERM} = \&rmpid; + +for (;;) { + $sock->recv($buf, 512); + + print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n"; + + my $packet; + + if ($Net::DNS::VERSION > 0.68) { + $packet = new Net::DNS::Packet(\$buf, 0); + $@ and die $@; + } else { + my $err; + ($packet, $err) = new Net::DNS::Packet(\$buf, 0); + $err and die $err; + } + + print "REQUEST:\n"; + $packet->print; + + $packet->header->qr(1); + + my @questions = $packet->question; + my $qname = $questions[0]->qname; + my $qtype = $questions[0]->qtype; + + my $donotrespond = 0; + + $packet->header->aa(1); + if ($qtype eq "A") { + $packet->push("answer", + new Net::DNS::RR($qname . + " 300 A 10.53.0.5")); + #} elsif ($qtype eq "AAAA") { + #$packet->push("answer", + #new Net::DNS::RR($qname . + #" 300 AAAA 2001:db8:beef::1")); + } elsif ($qtype eq "NS") { + $donotrespond = 1; + } + + if ($donotrespond == 0) { + $sock->send($packet->data); + print "RESPONSE:\n"; + $packet->print; + print "\n"; + } else { + print "DROP:\n"; + } +} diff --git a/bin/tests/system/rpzrecurse/clean.sh b/bin/tests/system/rpzrecurse/clean.sh index 004401b6bb..b7e3c5b00f 100644 --- a/bin/tests/system/rpzrecurse/clean.sh +++ b/bin/tests/system/rpzrecurse/clean.sh @@ -15,10 +15,11 @@ # Clean up after rpz tests. rm -f dig.out.* -rm -f ns2/named.conf -rm -f ns2/*.local -rm -f ns2/*.queries -rm -f ns2/named.[0-9]*.conf rm -f ns*/named.lock rm -f ns*/named.memstats rm -f ns*/named.run +rm -f ns2/*.local +rm -f ns2/*.queries +rm -f ns2/named.[0-9]*.conf +rm -f ns2/named.conf +rm -f ns3/named.conf diff --git a/bin/tests/system/rpzrecurse/ns3/example.db b/bin/tests/system/rpzrecurse/ns3/example.db new file mode 100644 index 0000000000..4970f143ad --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/example.db @@ -0,0 +1,6 @@ +$TTL 0 +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.3 +child NS ns.child +ns.child A 10.53.0.4 diff --git a/bin/tests/system/rpzrecurse/ns3/named1.conf b/bin/tests/system/rpzrecurse/ns3/named1.conf new file mode 100644 index 0000000000..dabea91624 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/named1.conf @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + response-policy { zone "policy"; }; +}; + +zone "policy" { type master; file "policy.db"; }; + +zone "example.tld" { type master; file "example.db"; }; + +zone "." { type master; file "root.db"; }; diff --git a/bin/tests/system/rpzrecurse/ns3/named2.conf b/bin/tests/system/rpzrecurse/ns3/named2.conf new file mode 100644 index 0000000000..edaebdd532 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/named2.conf @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + response-policy { zone "policy"; } nsip-wait-recurse no; +}; + +zone "policy" { type master; file "policy.db"; }; + +zone "example.tld" { type master; file "example.db"; }; + +zone "." { type master; file "root.db"; }; diff --git a/bin/tests/system/rpzrecurse/ns3/policy.db b/bin/tests/system/rpzrecurse/ns3/policy.db new file mode 100644 index 0000000000..9df59b2ac8 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/policy.db @@ -0,0 +1,4 @@ +$TTL 0 +@ SOA . . 0 0 0 0 0 +@ NS . +32.100.0.53.10.rpz-nsip CNAME . diff --git a/bin/tests/system/rpzrecurse/ns3/root.db b/bin/tests/system/rpzrecurse/ns3/root.db new file mode 100644 index 0000000000..7a66e24ea1 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns3/root.db @@ -0,0 +1,6 @@ +$TTL 0 +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.3 +foo NS foo.ns5 +ns5.foo A 10.53.0.5 diff --git a/bin/tests/system/rpzrecurse/ns4/child.example.db b/bin/tests/system/rpzrecurse/ns4/child.example.db new file mode 100644 index 0000000000..1cba37ad5c --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns4/child.example.db @@ -0,0 +1,7 @@ +$TTL 0 +@ SOA . . 0 0 0 0 0 +@ NS ns +ns A 10.53.0.4 +foo NS ns.foo +foo NS ns.foo. +ns.foo A 10.53.0.5 diff --git a/bin/tests/system/rpzrecurse/ns4/named.conf b/bin/tests/system/rpzrecurse/ns4/named.conf new file mode 100644 index 0000000000..f555b66d96 --- /dev/null +++ b/bin/tests/system/rpzrecurse/ns4/named.conf @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "child.example.tld" { type master; file "child.example.db"; }; diff --git a/bin/tests/system/rpzrecurse/setup.sh b/bin/tests/system/rpzrecurse/setup.sh index 3a34348e6f..1324942794 100644 --- a/bin/tests/system/rpzrecurse/setup.sh +++ b/bin/tests/system/rpzrecurse/setup.sh @@ -19,3 +19,4 @@ SYSTEMTESTTOP=.. perl testgen.pl cp -f ns2/named.default.conf ns2/named.conf +cp -f ns3/named1.conf ns3/named.conf diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh index eea31d0b40..ca4841c4ec 100644 --- a/bin/tests/system/rpzrecurse/tests.sh +++ b/bin/tests/system/rpzrecurse/tests.sh @@ -310,4 +310,30 @@ grep "status: NOERROR" dig.out.${t}.2 > /dev/null || { status=1 } +t=`expr $t + 1` +echo "I:checking 'nsip-wait-recurse no' is faster than 'nsip-wait-recurse yes' ($t)" +echo "I:timing 'nsip-wait-recurse yes' (default)" +ret=0 +t1=`$PERL -e 'print time()."\n";'` +$DIG -p 5300 @10.53.0.3 foo.child.example.tld a > dig.out.yes.$t +t2=`$PERL -e 'print time()."\n";'` +p1=`expr $t2 - $t1` +echo "I:elasped time $p1 seconds" + +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 flush +cp -f ns3/named2.conf ns3/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload > /dev/null + +echo "I:timing 'nsip-wait-recurse no'" +t3=`$PERL -e 'print time()."\n";'` +$DIG -p 5300 @10.53.0.3 foo.child.example.tld a > dig.out.no.$t +t4=`$PERL -e 'print time()."\n";'` +p2=`expr $t4 - $t3` +echo "I:elasped time $p2 seconds" + +if test $p1 -le $p2; then ret=1; fi +if test $ret != 0; then echo "I:failed"; fi +status=`expr $status + $ret` + + exit $status diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 9a5467bc0e..089c8def83 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -4669,6 +4669,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] max-policy-ttl number break-dnssec yes_or_no min-ns-dots number + nsip-wait-recurse yes_or_no qname-wait-recurse yes_or_no automatic-interface-scan yes_or_no ; @@ -10057,12 +10058,32 @@ deny-answer-aliases { "example.net"; }; RPZ-NSIP - NSIP triggers are encoded like IP triggers except as + NSIP triggers match the IP addresses of authoritative + servers. They are enncoded like IP triggers, except as subdomains of rpz-nsip. NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. - The default value of min-ns-dots is 1 to - exclude top level domains. + The default value of min-ns-dots is + 1, to exclude top level domains. + + + If a name server's IP address is not yet known, + named will recursively look up + the IP address before applying an RPZ-NSIP rule. + This can cause a processing delay. To speed up + processing at the cost of precision, the + nsip-wait-recurse option + can be used: when set to no, + RPZ-NSIP rules will only be applied when a name + servers's IP address has already been looked up and + cached. If a server's IP address is not in the + cache, then the RPZ-NSIP rule will be ignored, + but the address will be looked up in the + background, and the rule will be applied + to subsequent queries. The default is + yes, meaning RPZ-NSIP + rules should always be applied even if an + address needs to be looked up first. diff --git a/doc/misc/options b/doc/misc/options index 318dcc3694..8be73a42b0 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -156,15 +156,15 @@ options { fetches-per-server [ ( drop | fail ) ]; fetches-per-zone [ ( drop | fail ) ]; files ( unlimited | default | ); - filter-aaaa { ; ... }; // not configured - filter-aaaa-on-v4 ( break-dnssec | ); // not configured - filter-aaaa-on-v6 ( break-dnssec | ); // not configured + filter-aaaa { ; ... }; + filter-aaaa-on-v4 ( break-dnssec | ); + filter-aaaa-on-v6 ( break-dnssec | ); flush-zones-on-shutdown ; forward ( first | only ); forwarders [ port ] [ dscp ] { ( | ) [ port ] [ dscp ]; ... }; - geoip-directory ( | none ); // not configured - geoip-use-ecs ( | none ); // not configured + geoip-directory ( | none ); + geoip-use-ecs ; has-old-clients ; // obsolete heartbeat-interval ; host-statistics ; // not implemented @@ -267,13 +267,13 @@ options { require-server-cookie ; reserved-sockets ; resolver-query-timeout ; - response-policy { zone [ policy ( given | disabled - | passthru | no-op | drop | tcp-only | nxdomain | nodata | - cname ) ] [ recursive-only ] [ log - ] [ max-policy-ttl ]; ... } [ - recursive-only ] [ break-dnssec ] [ - max-policy-ttl ] [ min-ns-dots ] [ - qname-wait-recurse ]; + response-policy { zone [ log ] [ + max-policy-ttl ] [ policy ( given | disabled | + passthru | no-op | drop | tcp-only | nxdomain | nodata | cname + ) ] [ recursive-only ]; ... } [ + break-dnssec ] [ max-policy-ttl ] [ + min-ns-dots ] [ nsip-wait-recurse ] [ + qname-wait-recurse ] [ recursive-only ]; rfc2308-type1 ; // not yet implemented root-delegation-only [ exclude { ; ... } ]; rrset-order { [ class ] [ type ] [ name @@ -452,9 +452,9 @@ view [ ] { fetch-quota-params ; fetches-per-server [ ( drop | fail ) ]; fetches-per-zone [ ( drop | fail ) ]; - filter-aaaa { ; ... }; // not configured - filter-aaaa-on-v4 ( break-dnssec | ); // not configured - filter-aaaa-on-v6 ( break-dnssec | ); // not configured + filter-aaaa { ; ... }; + filter-aaaa-on-v4 ( break-dnssec | ); + filter-aaaa-on-v6 ( break-dnssec | ); forward ( first | only ); forwarders [ port ] [ dscp ] { ( | ) [ port ] [ dscp ]; ... }; @@ -542,13 +542,13 @@ view [ ] { request-sit ; // obsolete require-server-cookie ; resolver-query-timeout ; - response-policy { zone [ policy ( given | disabled - | passthru | no-op | drop | tcp-only | nxdomain | nodata | - cname ) ] [ recursive-only ] [ log - ] [ max-policy-ttl ]; ... } [ - recursive-only ] [ break-dnssec ] [ - max-policy-ttl ] [ min-ns-dots ] [ - qname-wait-recurse ]; + response-policy { zone [ log ] [ + max-policy-ttl ] [ policy ( given | disabled | + passthru | no-op | drop | tcp-only | nxdomain | nodata | cname + ) ] [ recursive-only ]; ... } [ + break-dnssec ] [ max-policy-ttl ] [ + min-ns-dots ] [ nsip-wait-recurse ] [ + qname-wait-recurse ] [ recursive-only ]; rfc2308-type1 ; // not yet implemented root-delegation-only [ exclude { ; ... } ]; rrset-order { [ class ] [ type ] [ name diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h index d61730566b..e8655b75f1 100644 --- a/lib/dns/include/dns/rpz.h +++ b/lib/dns/include/dns/rpz.h @@ -176,6 +176,7 @@ struct dns_rpz_popt { dns_rpz_zbits_t no_log; isc_boolean_t break_dnssec; isc_boolean_t qname_wait_recurse; + isc_boolean_t nsip_wait_recurse; unsigned int min_ns_labels; dns_rpz_num_t num_zones; }; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index bd9d6703dd..9bc8495ecf 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1440,10 +1440,10 @@ static cfg_type_t cfg_type_rpz_policy = { }; static cfg_tuplefielddef_t rpz_zone_fields[] = { { "zone name", &cfg_type_rpz_zone, 0 }, - { "policy", &cfg_type_rpz_policy, 0 }, - { "recursive-only", &cfg_type_boolean, 0 }, { "log", &cfg_type_boolean, 0 }, { "max-policy-ttl", &cfg_type_uint32, 0 }, + { "policy", &cfg_type_rpz_policy, 0 }, + { "recursive-only", &cfg_type_boolean, 0 }, { NULL, NULL, 0 } }; static cfg_type_t cfg_type_rpz_tuple = { @@ -1458,11 +1458,12 @@ static cfg_type_t cfg_type_rpz_list = { }; static cfg_tuplefielddef_t rpz_fields[] = { { "zone list", &cfg_type_rpz_list, 0 }, - { "recursive-only", &cfg_type_boolean, 0 }, { "break-dnssec", &cfg_type_boolean, 0 }, { "max-policy-ttl", &cfg_type_uint32, 0 }, { "min-ns-dots", &cfg_type_uint32, 0 }, + { "nsip-wait-recurse", &cfg_type_boolean, 0 }, { "qname-wait-recurse", &cfg_type_boolean, 0 }, + { "recursive-only", &cfg_type_boolean, 0 }, { NULL, NULL, 0 } }; static cfg_type_t cfg_type_rpz = {