add logic for per zone EDE for RPZ and configurable rpz-do-ede

doc/unbound.conf.5.in

@@ -2689,6 +2689,13 @@ Log all applied RPZ actions for this RPZ zone. Default is no.
 .B rpz\-log\-name: \fI<name>
 Specify a string to be part of the log line, for easy referencing.
 .TP
+
+.B rpz\-do\-ede: \fI<yes or no>
+Specify if this zone RPZ responds with Extended DNS Errors (RFC 8914). The
+default is no.
+.TP
+
+
 .B tags: \fI<list of tags>
 Limit the policies from this RPZ clause to clients with a matching tag. Tags
 need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses

services/rpz.c

@@ -513,6 +513,13 @@ rpz_create(struct config_auth* p)
 		goto err;
 	}
 
+	/* Respond with EDEs (RFC 8914) in this zone*/
+	if (p->rpz_do_ede)
+		r->do_ede = 1;
+	else
+		r->do_ede = 0;
+
+
 	r->taglistlen = p->rpz_taglistlen;
 	r->taglist = memdup(p->rpz_taglist, r->taglistlen);
 	if(p->rpz_action_override) {
@@ -2298,10 +2305,10 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 					(node?&node->node:NULL),
 					client_action, qinfo, repinfo, NULL,
 					(*r_out)->log_name);
-			/* check the rpz if we want to respond with EDE (RFC8914) */
+			/* check the rpz zone if we want to respond with EDE (RFC8914) */
 			if (*r_out && (*r_out)->do_ede)
 				do_ede = (*r_out)->do_ede;
-			else
+			else 
 				do_ede = 0;
 
 			local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns,
@@ -2330,9 +2337,8 @@ rpz_callback_from_worker_request(struct auth_zones* az, struct module_env* env,
 	struct local_zone* z = NULL;
 	int ret;
 	enum localzone_type lzt;
-	/* Fill in the EDE (RFC8914) code for the range 15 to 18.
-	 * The default value is -1 when not configured */
-	// struct sldns_ede_code ede_deny = env->cfg->ede_deny_code;
+
+	log_err("HERE in rpz_callback_from_worker_request!!!");
 
 	int clientip_trigger = rpz_apply_maybe_clientip_trigger(az, env, qinfo,
 		edns, repinfo, taglist, taglen, stats, buf, temp, &z, &a, &r);

services/rpz.h

@@ -125,7 +125,7 @@ struct rpz {
 	char* log_name;
 	struct regional* region;
 	int disabled;
-    int do_ede; // @TODO write logic for this
+    int do_ede;
 };
 
 /**

testdata/ede.tdir/ede.conf

@@ -35,6 +35,9 @@ server:
 	local-zone: test nodefault
 	do-not-query-localhost: no
 
+	# @TODO add rpz?
+	#rpz-do-ede: yes
+
 forward-zone:
 	name: "dnssec-failures.test"
 	forward-addr: 127.0.0.1@@PORT2@

util/config_file.h

@@ -753,6 +753,8 @@ struct config_auth {
 	/** Always reply with this CNAME target if the cname override action is
 	 * used */
 	char* rpz_cname;
+	/** Respond with EDEs (RFC 8914) for this zone */
+	int rpz_do_ede;
 	/** Check ZONEMD records for this zone */
 	int zonemd_check;
 	/** Reject absence of ZONEMD records, zone must have one */

util/configlexer.lex

@@ -347,6 +347,7 @@ rpz-action-override{COLON}	{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) }
 rpz-cname-override{COLON}	{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) }
 rpz-log{COLON}			{ YDVAR(1, VAR_RPZ_LOG) }
 rpz-log-name{COLON}		{ YDVAR(1, VAR_RPZ_LOG_NAME) }
+rpz-do-ede{COLON}		{ YDVAR(1, VAR_RPZ_DO_EDE) }
 zonefile{COLON}			{ YDVAR(1, VAR_ZONEFILE) }
 master{COLON}			{ YDVAR(1, VAR_MASTER) }
 primary{COLON}			{ YDVAR(1, VAR_MASTER) }

util/configparser.h

@@ -349,17 +349,18 @@
      VAR_RPZ_CNAME_OVERRIDE = 565,
      VAR_RPZ_LOG = 566,
      VAR_RPZ_LOG_NAME = 567,
-     VAR_DYNLIB = 568,
-     VAR_DYNLIB_FILE = 569,
-     VAR_EDNS_CLIENT_STRING = 570,
-     VAR_EDNS_CLIENT_STRING_OPCODE = 571,
-     VAR_NSID = 572,
-     VAR_ZONEMD_PERMISSIVE_MODE = 573,
-     VAR_ZONEMD_CHECK = 574,
-     VAR_ZONEMD_REJECT_ABSENCE = 575,
-     VAR_LOCAL_DATA_DO_EDE = 576,
-     VAR_LOCAL_ZONE_DEFAULT_EDE = 577,
-     VAR_EDE_LOCAL_ZONES = 578
+     VAR_RPZ_DO_EDE = 568,
+     VAR_DYNLIB = 569,
+     VAR_DYNLIB_FILE = 570,
+     VAR_EDNS_CLIENT_STRING = 571,
+     VAR_EDNS_CLIENT_STRING_OPCODE = 572,
+     VAR_NSID = 573,
+     VAR_ZONEMD_PERMISSIVE_MODE = 574,
+     VAR_ZONEMD_CHECK = 575,
+     VAR_ZONEMD_REJECT_ABSENCE = 576,
+     VAR_LOCAL_DATA_DO_EDE = 577,
+     VAR_LOCAL_ZONE_DEFAULT_EDE = 578,
+     VAR_EDE_LOCAL_ZONES = 579
    };
 #endif
 /* Tokens.  */
@@ -673,17 +674,18 @@
 #define VAR_RPZ_CNAME_OVERRIDE 565
 #define VAR_RPZ_LOG 566
 #define VAR_RPZ_LOG_NAME 567
-#define VAR_DYNLIB 568
-#define VAR_DYNLIB_FILE 569
-#define VAR_EDNS_CLIENT_STRING 570
-#define VAR_EDNS_CLIENT_STRING_OPCODE 571
-#define VAR_NSID 572
-#define VAR_ZONEMD_PERMISSIVE_MODE 573
-#define VAR_ZONEMD_CHECK 574
-#define VAR_ZONEMD_REJECT_ABSENCE 575
-#define VAR_LOCAL_DATA_DO_EDE 576
-#define VAR_LOCAL_ZONE_DEFAULT_EDE 577
-#define VAR_EDE_LOCAL_ZONES 578
+#define VAR_RPZ_DO_EDE 568
+#define VAR_DYNLIB 569
+#define VAR_DYNLIB_FILE 570
+#define VAR_EDNS_CLIENT_STRING 571
+#define VAR_EDNS_CLIENT_STRING_OPCODE 572
+#define VAR_NSID 573
+#define VAR_ZONEMD_PERMISSIVE_MODE 574
+#define VAR_ZONEMD_CHECK 575
+#define VAR_ZONEMD_REJECT_ABSENCE 576
+#define VAR_LOCAL_DATA_DO_EDE 577
+#define VAR_LOCAL_ZONE_DEFAULT_EDE 578
+#define VAR_EDE_LOCAL_ZONES 579
 
 
 
@@ -695,7 +697,7 @@ typedef union YYSTYPE
 	char*	str;
 }
 /* Line 1529 of yacc.c.  */
-#line 699 "util/configparser.h"
+#line 701 "util/configparser.h"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1

util/configparser.y

@@ -183,7 +183,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
 %token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
 %token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
-%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
+%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME VAR_RPZ_DO_EDE
 %token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
 %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
 %token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
@@ -459,6 +459,17 @@ rpz_log_name: VAR_RPZ_LOG_NAME STRING_ARG
 	}
 	;
 
+rpz_do_ede: VAR_RPZ_DO_EDE STRING_ARG
+	{
+		OUTYY(("P(rpz_do_ede:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->auths->rpz_do_ede =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
+
 rpzstart: VAR_RPZ
 	{
 		struct config_auth* s;
@@ -481,7 +492,7 @@ contents_rpz: contents_rpz content_rpz
 	| ;
 content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url |
 	   auth_allow_notify | rpz_action_override | rpz_cname_override |
-	   rpz_log | rpz_log_name
+	   rpz_log | rpz_log_name | rpz_do_ede
 	;
 server_num_threads: VAR_NUM_THREADS STRING_ARG
 	{

validator/val_utils.c

@@ -510,7 +510,11 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset)
 	return digest_algo;
 }
 
-// @TODO change the use of this function to _ede function in authzone.c:8111
+/**
+  * This function (without EDE (RFC 8914)) is currently only used in
+  * authzone, after a zone-transfer. This does not invoke a query-response
+  * so we can leave this wrapper in-place.
+  */
 enum sec_status
 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key* dnskey_rrset,