Use this localzone type, regardless the type configured for the local-zone
(both tagged and untagged) and regardless the type configured using
access\-control\-tag\-action.
+.TP 5
+.B local\-zone\-do\-ede: \fI<zone> <yes or no>
+If enabled, the responses from this local zone will include an Extended DNS
+Error (RFC8914). The type of error is dependent on the query. For example a
+query for a local-zone type "refuse" will result in EDE code 15 \- Blocked.
+By default this option is disabled.
+.TP 5
+.B local\-zone\-default\-ede: \fI<zone> <EDE code string or integer>
+If enabled, this zone will respond to requests resulting in an Extended DNS
+Error with the EDE code specified as input. This input can either be an integer
+corresponding to the EDE code number (e.g. 15 would be EDE Blocked), or a
+keyword from the following list corresponding to an EDE specified in RFC 8914.
+.TP 5
+EDE keywords:
+.nf
+\h'5'\fIother\fR
+\h'5'\fIunsupported-dnskey-algorithm\fR
+\h'5'\fIunsupported-ds-digest-type\fR
+\h'5'\fIstale-answer\fR
+\h'5'\fIforged\fR
+\h'5'\fIdnssec-indeterminate\fR
+\h'5'\fIdnssec-bogus\fR
+\h'5'\fIsignature-expired\fR
+\h'5'\fIsignature-not-yet-valid\fR
+\h'5'\fIdnskey-missing\fR
+\h'5'\fIrrsigs-missing\fR
+\h'5'\fIno-zone-key-bit-set\fR
+\h'5'\fInsec-missing\fR
+\h'5'\fIcached-error\fR
+\h'5'\fInot-ready\fR
+\h'5'\fIblocked\fR
+\h'5'\fIcensored\fR
+\h'5'\fIfiltered\fR
+\h'5'\fIprohibited\fR
+\h'5'\fIstale-nxdomain-answer\fR
+\h'5'\fInot-authoritative\fR
+\h'5'\fInot-supported\fR
+\h'5'\fIno-reachable-authority\fR
+\h'5'\fInetwork-error\fR
+\h'5'\fIinvalid-data\fR
+.fi
+.TP 5
+
+.B local\-zone\-do\-ede:: \fI<zone> <yes or no>
+If enabled, the responses from this local zone will include an Extended DNS
+Error (RFC8914). The type of error is dependent on the query. For example a
+query for a local-zone type "refuse" will result in EDE code 15 \- Blocked.
+By default this option is disabled.
+
+
.TP 5
.B response\-ip: \fI<IP-netblock> <action>
This requires use of the "respip" module.
dname_label_count = dname_count_labels(dname);
/* parse option in case of a textual string or integer value */
- if (atoi(code) != 0)
+ if (atoi(code) != 0) {
default_ede = (int) ede_string_to_sldns_ede_code(code);
if (default_ede == -1) {
log_err("incorect EDE code string found for "
"local-zone-default-ede: %s", zname);
return 0;
}
-
- else {
+ } else {
int tmp = atoi(code);
if (!(tmp >= 0 && tmp < 65635))
log_err("incorrect EDE code integer value for"
{
OUTYY(("P(server_local_zone_default_ede:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
if (!(strcmp((yyvsp[(3) - (3)].str), "other") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "unsupported_dnskey_algorithm") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "unsupported_ds_digest_type") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "stale_answer") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "unsupported-dnskey-algorithm") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "unsupported-ds-digest-type") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "stale-answer") == 0) &&
!(strcmp((yyvsp[(3) - (3)].str), "forged") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "dnssec_indeterminate") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "dnssec_bogus") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "signature_expired") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "signature_not_yet_valid") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "dnskey_missing") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "rrsigs_missing") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "no_zone_key_bit_set") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "nsec_missing") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "cached_error") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "not_ready") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "dnssec-indeterminate") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "dnssec-bogus") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "signature-expired") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "signature-not-yet-valid") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "dnskey-missing") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "rrsigs-missing") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "no-zone-key-bit-set") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "nsec-missing") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "cached-error") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "not-ready") == 0) &&
!(strcmp((yyvsp[(3) - (3)].str), "blocked") == 0) &&
!(strcmp((yyvsp[(3) - (3)].str), "censored") == 0) &&
!(strcmp((yyvsp[(3) - (3)].str), "filtered") == 0) &&
!(strcmp((yyvsp[(3) - (3)].str), "prohibited") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "stale_nxdomain_answer") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "not_authoritative") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "not_supported") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "no_reachable_authority") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "network_error") == 0) &&
- !(strcmp((yyvsp[(3) - (3)].str), "invalid_data") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "stale-nxdomain-answer") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "not-authoritative") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "not-supported") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "no-reachable-authority") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "network-error") == 0) &&
+ !(strcmp((yyvsp[(3) - (3)].str), "invalid-data") == 0) &&
!(atoi((yyvsp[(3) - (3)].str)) == 0))
yyerror("expected default-ede keyword or integer"
"refering to the respecive ede code");
{
OUTYY(("P(server_local_zone_default_ede:%s %s)\n", $2, $3));
if (!(strcmp($3, "other") == 0) &&
- !(strcmp($3, "unsupported_dnskey_algorithm") == 0) &&
- !(strcmp($3, "unsupported_ds_digest_type") == 0) &&
- !(strcmp($3, "stale_answer") == 0) &&
+ !(strcmp($3, "unsupported-dnskey-algorithm") == 0) &&
+ !(strcmp($3, "unsupported-ds-digest-type") == 0) &&
+ !(strcmp($3, "stale-answer") == 0) &&
!(strcmp($3, "forged") == 0) &&
- !(strcmp($3, "dnssec_indeterminate") == 0) &&
- !(strcmp($3, "dnssec_bogus") == 0) &&
- !(strcmp($3, "signature_expired") == 0) &&
- !(strcmp($3, "signature_not_yet_valid") == 0) &&
- !(strcmp($3, "dnskey_missing") == 0) &&
- !(strcmp($3, "rrsigs_missing") == 0) &&
- !(strcmp($3, "no_zone_key_bit_set") == 0) &&
- !(strcmp($3, "nsec_missing") == 0) &&
- !(strcmp($3, "cached_error") == 0) &&
- !(strcmp($3, "not_ready") == 0) &&
+ !(strcmp($3, "dnssec-indeterminate") == 0) &&
+ !(strcmp($3, "dnssec-bogus") == 0) &&
+ !(strcmp($3, "signature-expired") == 0) &&
+ !(strcmp($3, "signature-not-yet-valid") == 0) &&
+ !(strcmp($3, "dnskey-missing") == 0) &&
+ !(strcmp($3, "rrsigs-missing") == 0) &&
+ !(strcmp($3, "no-zone-key-bit-set") == 0) &&
+ !(strcmp($3, "nsec-missing") == 0) &&
+ !(strcmp($3, "cached-error") == 0) &&
+ !(strcmp($3, "not-ready") == 0) &&
!(strcmp($3, "blocked") == 0) &&
!(strcmp($3, "censored") == 0) &&
!(strcmp($3, "filtered") == 0) &&
!(strcmp($3, "prohibited") == 0) &&
- !(strcmp($3, "stale_nxdomain_answer") == 0) &&
- !(strcmp($3, "not_authoritative") == 0) &&
- !(strcmp($3, "not_supported") == 0) &&
- !(strcmp($3, "no_reachable_authority") == 0) &&
- !(strcmp($3, "network_error") == 0) &&
- !(strcmp($3, "invalid_data") == 0) &&
+ !(strcmp($3, "stale-nxdomain-answer") == 0) &&
+ !(strcmp($3, "not-authoritative") == 0) &&
+ !(strcmp($3, "not-supported") == 0) &&
+ !(strcmp($3, "no-reachable-authority") == 0) &&
+ !(strcmp($3, "network-error") == 0) &&
+ !(strcmp($3, "invalid-data") == 0) &&
!(atoi($3) == 0))
yyerror("expected default-ede keyword or integer"
"refering to the respecive ede code");
projects / thirdparty / unbound.git / commitdiff
