From: W.C.A. Wijngaards Date: Fri, 12 Mar 2021 09:21:48 +0000 (+0100) Subject: - rpz triggers, man page explanation of rpz zone contents. X-Git-Tag: release-1.14.0rc1~62^2~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=da0bbcec483a86e8f96533d0872a48fbd884a90c;p=thirdparty%2Funbound.git - rpz triggers, man page explanation of rpz zone contents. --- diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index a8c323e2f..c8d41d7d9 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -2389,6 +2389,44 @@ QNAME, Response IP Address, nsdname, nsip and clientip triggers are supported. Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and before \fBauth\-zones\fR. +.P +The rpz zone is formatted with a SOA start record as usual. The items in +the zone are entries, that specify what to act on (the trigger) and what to +do (the action). The trigger to act on is recorded in the name, the action +to do is recorded as the resource record. The names all end in the zone +name, so you could type them without a trailing dot in the zonefile. +.P +An example RPZ record, that answers example.com with NXDOMAIN +.nf + example.com CNAME . +.fi +.P +The triggers are encoded in the name on the left +.nf + name query name + netblock.rpz-client-ip. client IP address + netblock.rpz-ip. response IP address in the answer + name.rpz-nsdname. nameserver name + netblock.rpz-nsip. nameserver IP address +.fi +The netblock is written as .. +For IPv6 use 'zz' for '::'. Specify indiviual addresses with scope length +of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and +32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32. +.P +The actions are specified with the record on the right +.nf + CNAME . nxdomain reply + CNAME *. nodata reply + CNAME rpz-passthru. do nothing, allow to continue + CNAME rpz-drop. the query is dropped + CNAME rpz-tcp-only. answer over TCP + A 192.0.2.1 answer with this IP address +.fi +Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to +answer queries with that content. +.P +The RPZ zones can be configured in the config file with these settings in the \fBrpz:\fR block. .TP .B name: \fI Name of the authority zone.