- Add rpz: for-downstream: yesno option, where the RPZ zone is

authoritatively answered for, so the RPZ zone contents can be
  checked with DNS queries directed at the RPZ zone.

doc/Changelog

@@ -4,6 +4,11 @@
 	     more than once.
 	  - Add a region to serviced_query for allocations.
 
+14 January 2022: Wouter
+	- Add rpz: for-downstream: yesno option, where the RPZ zone is
+	  authoritatively answered for, so the RPZ zone contents can be
+	  checked with DNS queries directed at the RPZ zone.
+
 11 January 2022: George
 	- Fix prematurely terminated TCP queries when a reply has the same ID.
 

doc/example.conf.in

@@ -1180,4 +1180,5 @@ remote-control:
 #     rpz-log: yes
 #     rpz-log-name: "example policy"
 #     rpz-signal-nxdomain-ra: no
+#     for-downstream: no
 #     tags: "example"

doc/unbound.conf.5.in

@@ -2638,6 +2638,12 @@ Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA flag.
 This allows certain clients, like dnsmasq, to infer that the domain is
 externally blocked. Default is no.
 .TP
+.B for\-downstream: \fI<yes or no>
+If enabled the zone is authoritatively answered for and queries for the RPZ
+zone information are answered to downstream clients. This is useful for
+monitoring scripts, that can then access the SOA information to check if
+the rpz information is up to date. Default is no.
+.TP
 .B tags: \fI<list of tags>
 Limit the policies from this RPZ clause to clients with a matching tag. Tags
 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses

util/configparser.y

@@ -488,7 +488,7 @@ contents_rpz: contents_rpz content_rpz
 	| ;
 content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url |
 	   auth_allow_notify | rpz_action_override | rpz_cname_override |
-	   rpz_log | rpz_log_name | rpz_signal_nxdomain_ra
+	   rpz_log | rpz_log_name | rpz_signal_nxdomain_ra | auth_for_downstream
 	;
 server_num_threads: VAR_NUM_THREADS STRING_ARG
 	{