- Support RFC7686: handle ".onion" Special-Use Domain. It is blocked

by default, and can be unblocked with "nodefault" localzone config.


git-svn-id: file:///svn/unbound/trunk@3593 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,6 +1,8 @@
 05 January 2016: Wouter
 	- #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
 	  from Daisuke Higashi.
+	- Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
+	  by default, and can be unblocked with "nodefault" localzone config.
 
 04 January 2016: Wouter
 	- Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,

doc/example.conf.in

@@ -483,6 +483,7 @@ server:
 	# local-zone: "localhost." nodefault
 	# local-zone: "127.in-addr.arpa." nodefault
 	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+	# local-zone: "onion." nodefault
 	# local-zone: "10.in-addr.arpa." nodefault
 	# local-zone: "16.172.in-addr.arpa." nodefault
 	# local-zone: "17.172.in-addr.arpa." nodefault

doc/unbound.conf.5.in

@@ -928,10 +928,10 @@ has no other effect than turning off default contents for the
 given zone.  Use \fInodefault\fR if you use exactly that zone, if you want to
 use a subzone, use \fItransparent\fR.
 .P
-The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
+The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and
-zones. The AS112 zones are reverse DNS zones for private use and reserved
+the AS112 zones. The AS112 zones are reverse DNS zones for private use and
-IP addresses for which the servers on the internet cannot provide correct
+reserved IP addresses for which the servers on the internet cannot provide
-answers. They are configured by default to give nxdomain (no reverse 
+correct answers. They are configured by default to give nxdomain (no reverse
 information) answers. The defaults can be turned off by specifying your
 own local\-zone of that name, or using the 'nodefault' type. Below is a 
 list of the default zone contents.
@@ -975,6 +975,15 @@ local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
     PTR localhost."
 .fi
 .TP 10
+\h'5'\fIonion (RFC 7686)\fR 
+Default content:
+.nf
+local\-zone: "onion." static
+local\-data: "onion. 10800 IN NS localhost."
+local\-data: "onion. 10800 IN 
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.fi
+.TP 10
 \h'5'\fIreverse RFC1918 local use zones\fR 
 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 
 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.

services/localzone.c

@@ -593,9 +593,9 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 {
 	struct local_zone* z;
 
-	/* this list of zones is from RFC 6303 */
+	/* this list of zones is from RFC 6303 and RFC 7686 */
 
-	/* block localhost level zones, first, later the LAN zones */
+	/* block localhost level zones first, then onion and later the LAN zones */
 
 	/* localhost. zone */
 	if(!lz_exists(zones, "localhost.") &&
@@ -653,6 +653,22 @@ lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 		}
 		lock_rw_unlock(&z->lock);
 	}
+	/* onion. zone (RFC 7686) */
+	if(!lz_exists(zones, "onion.") &&
+		!lz_nodefault(cfg, "onion.")) {
+		if(!(z=lz_enter_zone(zones, "onion.", "static", 
+			LDNS_RR_CLASS_IN)) ||
+		   !lz_enter_rr_into_zone(z,
+			"onion. 10800 IN NS localhost.") ||
+		   !lz_enter_rr_into_zone(z,
+			"onion. 10800 IN SOA localhost. nobody.invalid. "
+			"1 3600 1200 604800 10800")) {
+			log_err("out of memory adding default zone");
+			if(z) { lock_rw_unlock(&z->lock); }
+			return 0;
+		}
+		lock_rw_unlock(&z->lock);
+	}
 
 	/* if unblock lan-zones, then do not add the zones below.
 	 * we do add the zones above, about 127.0.0.1, because localhost is