- rpz skip nsec3param records, and nicer log for unsupported actions.

doc/Changelog

@@ -7,6 +7,7 @@
 	  zonemd can be mandated for specific zones.
 	- Fix doxygen and pydoc warnings.
 	- Fix #429: rpz: url: with https: broken (regression in 1.13.1).
+	- rpz skip nsec3param records, and nicer log for unsupported actions.
 
 15 February 2021: Wouter
 	- Fix #422: IPv6 fallback issues when IPv6 is not properly

services/rpz.c

@@ -162,6 +162,7 @@ rpz_rr_to_action(uint16_t rr_type, uint8_t* rdatawl, size_t rdatalen)
 		case LDNS_RR_TYPE_RRSIG:
 		case LDNS_RR_TYPE_NSEC:
 		case LDNS_RR_TYPE_NSEC3:
+		case LDNS_RR_TYPE_NSEC3PARAM:
 			return RPZ_INVALID_ACTION;
 		case LDNS_RR_TYPE_CNAME:
 			break;
@@ -479,8 +480,19 @@ rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 	int newzone = 0;
 
 	if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION) {
-		verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s",
-			rpz_action_to_string(a));
+		char str[255+1];
+		if(rrtype == LDNS_RR_TYPE_SOA || rrtype == LDNS_RR_TYPE_NS ||
+			rrtype == LDNS_RR_TYPE_DNAME ||
+			rrtype == LDNS_RR_TYPE_DNSKEY ||
+			rrtype == LDNS_RR_TYPE_RRSIG ||
+			rrtype == LDNS_RR_TYPE_NSEC ||
+			rrtype == LDNS_RR_TYPE_NSEC3PARAM ||
+			rrtype == LDNS_RR_TYPE_NSEC3 ||
+			rrtype == LDNS_RR_TYPE_DS)
+			return; /* no need to log these types as unsupported */
+		dname_str(dname, str);
+		verbose(VERB_ALGO, "RPZ: qname trigger, %s skipping unsupported action: %s",
+			str, rpz_action_to_string(a));
 		free(dname);
 		return;
 	}
@@ -552,8 +564,10 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 
 	if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION ||
 		respa == respip_invalid) {
-		verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s",
-			rpz_action_to_string(a));
+		char str[255+1];
+		dname_str(dname, str);
+		verbose(VERB_ALGO, "RPZ: respip trigger, %s skipping unsupported action: %s",
+			str, rpz_action_to_string(a));
 		return 0;
 	}