Do not process passthru in a special way. RPZ hit always takes

precedence unless overridesGettag is set to false.

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 7fa933f2659b42dafdd58293142e96f903c5c98f..8e51e26350c8bc2a981053ec1144d805f1806564 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1443,9 +1443,9 @@ static void startDoResolve(void *p)
     }
 
     // If we are doing RPZ and a policy was matched, it normally takes precedence over an answer from gettag.
-    // So process the gettag_ffi answer only if no RPZ action was done or matched or the policy indicates gettag should
+    // So process the gettag_ffi answer only if no RPZ action was matched or the policy indicates gettag should
     // have precedence.
-    if (!wantsRPZ || !appliedPolicy.policyOverridesGettag() || appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction) {
+    if (!wantsRPZ || !appliedPolicy.policyOverridesGettag() || appliedPolicy.d_type == DNSFilterEngine::PolicyType::None) {
       if (dc->d_rcode != boost::none) {
         /* we have a response ready to go, most likely from gettag_ffi */
         ret = std::move(dc->d_records);

diff --git a/pdns/recursordist/docs/lua-config/rpz.rst b/pdns/recursordist/docs/lua-config/rpz.rst
index 6396591b65d72e731be13a86514d73c30f2a9dc8..48836bb144b6b93d83ad6a894175e08407ede0d0 100644 (file)
--- a/pdns/recursordist/docs/lua-config/rpz.rst
+++ b/pdns/recursordist/docs/lua-config/rpz.rst
@@ -117,7 +117,7 @@ overridesGettag
 .. versionadded:: 4.4.0
 
 `gettag_ffi` can set an answer to a query.
-By default an RPZ hit overrides this answer, unless the policy is `rpz-passthru` or this option is set to `false`.
+By default an RPZ hit overrides this answer, unless this option is set to `false`.
 The default is `true`.
 
 zoneSizeHint