From c786c578d7256d18050b0315dcadb4429abad0b1 Mon Sep 17 00:00:00 2001 From: Diego Fronza Date: Mon, 2 Mar 2020 14:52:10 -0300 Subject: [PATCH] Added RPZ configuration option "nsdname-wait-recurse" This new option was added to fill a gap in RPZ configuration options. It was possible to instruct BIND wheter NSIP rewritting rules would apply or not, as long as the required data was already in cache or not, respectively, by means of the option nsip-wait-recurse. A value of yes (default) could incur a little processing cost, since BIND would need to recurse to find NS addresses in case they were not in the cache. This behavior could be changed by setting nsip-wait-recurse value to no, in which case BIND would promptly return some error code if the NS IP addresses data were not in cache, then BIND would start a recursive query in background, so future similar requests would have the required data (NS IPs) in cache, allowing BIND to apply NSIP rules accordingly. A similar feature wasn't available for NSDNAME triggers, so this commit adds the option nsdname-wait-recurse to fill this gap, as it was expected by couple BIND users. --- bin/named/server.c | 7 +++++++ lib/dns/include/dns/rpz.h | 1 + lib/isccfg/namedconf.c | 1 + lib/ns/query.c | 5 ++++- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/bin/named/server.c b/bin/named/server.c index 781d9e013d..2836429de3 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -2557,6 +2557,13 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps, zones->p.qname_wait_recurse = false; } + sub_obj = cfg_tuple_get(rpz_obj, "nsdname-wait-recurse"); + if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) { + zones->p.nsdname_wait_recurse = true; + } else { + zones->p.nsdname_wait_recurse = false; + } + sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse"); if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) { zones->p.nsip_wait_recurse = true; diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h index 4e834d7fe4..966aaee0ed 100644 --- a/lib/dns/include/dns/rpz.h +++ b/lib/dns/include/dns/rpz.h @@ -203,6 +203,7 @@ struct dns_rpz_popt { bool break_dnssec; bool qname_wait_recurse; bool nsip_wait_recurse; + bool nsdname_wait_recurse; unsigned int min_ns_labels; dns_rpz_num_t num_zones; }; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index d3b0d6a41f..55e16c997b 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1736,6 +1736,7 @@ static cfg_tuplefielddef_t rpz_fields[] = { { "min-update-interval", &cfg_type_duration, 0 }, { "min-ns-dots", &cfg_type_uint32, 0 }, { "nsip-wait-recurse", &cfg_type_boolean, 0 }, + { "nsdname-wait-recurse", &cfg_type_boolean, 0 }, { "qname-wait-recurse", &cfg_type_boolean, 0 }, { "recursive-only", &cfg_type_boolean, 0 }, { "nsip-enable", &cfg_type_boolean, 0 }, diff --git a/lib/ns/query.c b/lib/ns/query.c index 482b3f3b01..a503109db0 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -2826,7 +2826,10 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, */ if (rpz_type == DNS_RPZ_TYPE_IP) { result = DNS_R_NXRRSET; - } else if (!client->view->rpzs->p.nsip_wait_recurse) { + } else if (!client->view->rpzs->p.nsip_wait_recurse || + (!client->view->rpzs->p.nsdname_wait_recurse && + rpz_type == DNS_RPZ_TYPE_NSDNAME)) + { query_rpzfetch(client, name, type); result = DNS_R_NXRRSET; } else {