From 1e5618fcd052afd3f220bd14182d0373406dd6b6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 1 Jun 2017 18:04:16 +0200 Subject: [PATCH] doc+NEWS: changes related to full-forward --- NEWS | 6 ++++-- modules/policy/README.rst | 10 ++++++---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 3da0b22c4..13e79ba92 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,4 @@ -Knot Resolver 1.3.0 ? (2017-05-??) +Knot Resolver 1.3.0 (2017-06-??) ================================ Security @@ -10,7 +10,9 @@ Security Improvements ------------ -- allow answering from cache in non-iterative modes (#122) +- major feature: support for forwarding with validation (#112). + The old policy.FORWARD action now does that; the previous non-validating + mode is still avaliable as policy.STUB except that also uses caching (#122). - command line: specify ports via @ but still support # for compatibility - policy: recognize 100.64.0.0/10 as local addresses - layer/iterate: *do* retry repeatedly if REFUSED, as we can't yet easily diff --git a/modules/policy/README.rst b/modules/policy/README.rst index 6c22cd865..a0dca4323 100644 --- a/modules/policy/README.rst +++ b/modules/policy/README.rst @@ -1,6 +1,6 @@ .. _mod-policy: -Query policies +Query policies -------------- This module can block, rewrite, or alter inbound queries based on user-defined policies. @@ -24,14 +24,16 @@ There are several defined actions: * ``DENY`` - return NXDOMAIN answer * ``DROP`` - terminate query resolution, returns SERVFAIL to requestor * ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP -* ``FORWARD(ip)`` - forward query to given IP and proxy back response (stub mode); - it can be a single IP (string) or a list of up to four IPs. +* ``FORWARD(ip)`` - solve a query via forwarding to an IP while validating and caching locally; + the parameter can be a single IP (string) or a lua list of up to four IPs. +* ``STUB(ip)`` - similar to ``FORWARD(ip)`` but *without* attempting DNSSEC validation. + Each request may be either answered from cache or simply sent to one of the IPs with proxying back the answer. * ``MIRROR(ip)`` - mirror query to given IP and continue solving it (useful for partial snooping) * ``REROUTE({{subnet,target}, ...})`` - reroute addresses in response matching given subnet to given target, e.g. ``{'192.0.2.0/24', '127.0.0.0'}`` will rewrite '192.0.2.55' to '127.0.0.55', see :ref:`renumber module ` for more information. * ``QTRACE`` - pretty-print DNS response packets into the log (useful for debugging weird DNS servers). * ``FLAGS(set, clear)`` - set and/or clear some flags for the query. There can be multiple flags to set/clear, combined by ``bit.bor`` from ``kres.query.*`` values. -.. warning:: The policy module only looks at the inbound DNS queries. Thus the ``FORWARD(ip)`` policy does only forward inbound query to the specified IP address(es) and it doesn't and it can't do DNSSEC validation. If you need DNSSEC validation, you either need to disable ``FORWARD(ip)`` policy or use an upstream DNSSEC-validating resolver. +.. warning:: The policy module currently only looks at whole DNS requests. The rules won't be re-applied e.g. when following CNAMEs. .. note:: The module (and ``kres``) expects domain names in wire format, not textual representation. So each label in name is prefixed with its length, e.g. "example.com" equals to ``"\7example\3com"``. You can use convenience function ``todname('example.com')`` for automatic conversion. -- 2.47.3