lib/rules: update/more precise default answers for special names

The diff probably shows as messy, but the set of names
doesn't change much.  _EMPTY changes to _NXDOMAIN in many cases.
Every name has some text defining the behavior;
it's not very unified, unfortunately.
Now I tried to refer to particular RFC section(s) for each name.

diff --git a/NEWS b/NEWS
index 691df0e06d14c0e71ecf1b899f7e363efe35e8c5..c53b27c5f52f5ca319938157ce0864795f5f8450 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,12 @@ Bugfixes
   [system] assertion "env->is_cache" failed in cdb_write
 - /cache/prefill: fix 6.0.13 regression (!1705)
 
+Improvements
+------------
+- update/more precise default answers for special names (!1709)
+  https://www.iana.org/assignments/special-use-domain-names
+  https://www.iana.org/assignments/locally-served-dns-zones
+
 
 Knot Resolver 6.0.14 (2025-06-03)
 =================================

diff --git a/lib/rules/defaults.c b/lib/rules/defaults.c
index 3cf5eb8ee6f8241c65c6c3b28c942c320cd45fe2..bac6d7e59739d8f664fe668d5b54191cd84692fe 100644 (file)
--- a/lib/rules/defaults.c
+++ b/lib/rules/defaults.c
@@ -16,131 +16,157 @@
 
 int rules_defaults_insert(void)
 {
-       static const char * names[] = {
-               /* RFC1918 Private, local, broadcast, test and special zones
-                  Considerations: RFC6761, sec 6.1.
-                  https://www.iana.org/assignments/locally-served-dns-zones
-                */
-               /* RFC6303 */
-               "10.in-addr.arpa.",
-               "16.172.in-addr.arpa.",
-               "17.172.in-addr.arpa.",
-               "18.172.in-addr.arpa.",
-               "19.172.in-addr.arpa.",
-               "20.172.in-addr.arpa.",
-               "21.172.in-addr.arpa.",
-               "22.172.in-addr.arpa.",
-               "23.172.in-addr.arpa.",
-               "24.172.in-addr.arpa.",
-               "25.172.in-addr.arpa.",
-               "26.172.in-addr.arpa.",
-               "27.172.in-addr.arpa.",
-               "28.172.in-addr.arpa.",
-               "29.172.in-addr.arpa.",
-               "30.172.in-addr.arpa.",
-               "31.172.in-addr.arpa.",
-               "168.192.in-addr.arpa.",
-               "0.in-addr.arpa.",
-               "127.in-addr.arpa.",
-               "254.169.in-addr.arpa.",
-               "2.0.192.in-addr.arpa.",
-               "100.51.198.in-addr.arpa.",
-               "113.0.203.in-addr.arpa.",
-               "255.255.255.255.in-addr.arpa.",
-               /* RFC7793 */
-               "64.100.in-addr.arpa.",
-               "65.100.in-addr.arpa.",
-               "66.100.in-addr.arpa.",
-               "67.100.in-addr.arpa.",
-               "68.100.in-addr.arpa.",
-               "69.100.in-addr.arpa.",
-               "70.100.in-addr.arpa.",
-               "71.100.in-addr.arpa.",
-               "72.100.in-addr.arpa.",
-               "73.100.in-addr.arpa.",
-               "74.100.in-addr.arpa.",
-               "75.100.in-addr.arpa.",
-               "76.100.in-addr.arpa.",
-               "77.100.in-addr.arpa.",
-               "78.100.in-addr.arpa.",
-               "79.100.in-addr.arpa.",
-               "80.100.in-addr.arpa.",
-               "81.100.in-addr.arpa.",
-               "82.100.in-addr.arpa.",
-               "83.100.in-addr.arpa.",
-               "84.100.in-addr.arpa.",
-               "85.100.in-addr.arpa.",
-               "86.100.in-addr.arpa.",
-               "87.100.in-addr.arpa.",
-               "88.100.in-addr.arpa.",
-               "89.100.in-addr.arpa.",
-               "90.100.in-addr.arpa.",
-               "91.100.in-addr.arpa.",
-               "92.100.in-addr.arpa.",
-               "93.100.in-addr.arpa.",
-               "94.100.in-addr.arpa.",
-               "95.100.in-addr.arpa.",
-               "96.100.in-addr.arpa.",
-               "97.100.in-addr.arpa.",
-               "98.100.in-addr.arpa.",
-               "99.100.in-addr.arpa.",
-               "100.100.in-addr.arpa.",
-               "101.100.in-addr.arpa.",
-               "102.100.in-addr.arpa.",
-               "103.100.in-addr.arpa.",
-               "104.100.in-addr.arpa.",
-               "105.100.in-addr.arpa.",
-               "106.100.in-addr.arpa.",
-               "107.100.in-addr.arpa.",
-               "108.100.in-addr.arpa.",
-               "109.100.in-addr.arpa.",
-               "110.100.in-addr.arpa.",
-               "111.100.in-addr.arpa.",
-               "112.100.in-addr.arpa.",
-               "113.100.in-addr.arpa.",
-               "114.100.in-addr.arpa.",
-               "115.100.in-addr.arpa.",
-               "116.100.in-addr.arpa.",
-               "117.100.in-addr.arpa.",
-               "118.100.in-addr.arpa.",
-               "119.100.in-addr.arpa.",
-               "120.100.in-addr.arpa.",
-               "121.100.in-addr.arpa.",
-               "122.100.in-addr.arpa.",
-               "123.100.in-addr.arpa.",
-               "124.100.in-addr.arpa.",
-               "125.100.in-addr.arpa.",
-               "126.100.in-addr.arpa.",
-               "127.100.in-addr.arpa.",
-               /* RFC6303 */
-               "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
-               "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.",
-                       /* ^ below we inject exact-match PTR over this empty zone */
-               "d.f.ip6.arpa.",
-               "8.e.f.ip6.arpa.",
-               "9.e.f.ip6.arpa.",
-               "a.e.f.ip6.arpa.",
-               "b.e.f.ip6.arpa.",
-               "8.b.d.0.1.0.0.2.ip6.arpa.",
-               /* RFC8375 */
-               "home.arpa.",
-
-               /* More zones - empty-zone subset from:
-                  https://www.iana.org/assignments/special-use-domain-names
-                  TODO: perhaps review the list again.
-                */
-               "test.",
-               "onion.",
-               "invalid.",
-               "local.", // RFC 8375.4
+       static const struct { enum kr_rule_sub_t rule; const char *name; } names[] = {
+
+       //// https://www.iana.org/assignments/locally-served-dns-zones
+
+               // RFC 6303: sec. 3 explicitly says that they should be empty zones.
+               { KR_RULE_SUB_EMPTY   , "10.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "16.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "17.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "18.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "19.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "20.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "21.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "22.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "23.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "24.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "25.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "26.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "27.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "28.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "29.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "30.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "31.172.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "168.192.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "0.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "127.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "254.169.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "2.0.192.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "100.51.198.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "113.0.203.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "255.255.255.255.in-addr.arpa."},
+               // RFC 7793: not explicitly said what to do, but same registry as above
+               { KR_RULE_SUB_EMPTY   , "64.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "65.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "66.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "67.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "68.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "69.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "70.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "71.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "72.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "73.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "74.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "75.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "76.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "77.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "78.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "79.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "80.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "81.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "82.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "83.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "84.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "85.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "86.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "87.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "88.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "89.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "90.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "91.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "92.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "93.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "94.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "95.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "96.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "97.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "98.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "99.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "100.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "101.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "102.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "103.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "104.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "105.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "106.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "107.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "108.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "109.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "110.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "111.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "112.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "113.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "114.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "115.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "116.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "117.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "118.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "119.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "120.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "121.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "122.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "123.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "124.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "125.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "126.100.in-addr.arpa."},
+               { KR_RULE_SUB_EMPTY   , "127.100.in-addr.arpa."},
+               // RFC 6303: see 6303 above
+               { KR_RULE_SUB_EMPTY,
+                       "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."},
+               { KR_RULE_SUB_EMPTY,
+                       "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."},
+                       // ^ below we inject exact-match PTR into this empty zone
+               { KR_RULE_SUB_EMPTY   , "d.f.ip6.arpa."},
+               { KR_RULE_SUB_EMPTY   , "8.e.f.ip6.arpa."},
+               { KR_RULE_SUB_EMPTY   , "9.e.f.ip6.arpa."},
+               { KR_RULE_SUB_EMPTY   , "a.e.f.ip6.arpa."},
+               { KR_RULE_SUB_EMPTY   , "b.e.f.ip6.arpa."},
+               { KR_RULE_SUB_EMPTY   , "8.b.d.0.1.0.0.2.ip6.arpa."},
+               // RFC 8375: sec.4.4 - says same as 6303
+               { KR_RULE_SUB_EMPTY   , "home.arpa."},
+               // RFC 9462: para. just above sec. 4.1 and sec. 6.4;
+               //    needs NODATA (at least) on resolver.arpa and _dns.resolver.arpa
+               { KR_RULE_SUB_EMPTY   , "resolver.arpa."},
+               { KR_RULE_SUB_NODATA  , "resolver.arpa."},
+               // RFC 9665: sec. 8.4 refers to 6303 for service, sec. 3.1.2 to 6761 for default.service
+               { KR_RULE_SUB_EMPTY   , "service.arpa."},
+               { KR_RULE_SUB_NXDOMAIN, "default.service.arpa."},
+
+       //// https://www.iana.org/assignments/special-use-domain-names
+
+               // RFC 9476: no action  "alt."
+               // RFC 9031: sec. 11 refers to 6761
+               { KR_RULE_SUB_NXDOMAIN, "6tisch.arpa."},
+               // RFC 9140: sec. 5.6 but doesn't specify; probably 6761
+               { KR_RULE_SUB_NXDOMAIN, "eap-noob.arpa."},
+               // RFC 8375: see above  "home.arpa."
+
+               // Now the registry has RFC 6761 repeats of many names from above,
+               //  but some new names are mixed in:
+               // RFC 8880: sec. 7.2.4: noop for 170.0.0.192.in-addr.arpa. + 171.0.0.192.in-addr.arpa.
+               // RFC 8880: sec. 7.1.4: noop for ipv4only.arpa.  but FIXME: DNS64 module
+
+               // RFC 9462: sec. 8.2.4 just says to prevent forwarding
+               { KR_RULE_SUB_EMPTY   , "resolver.arpa."},
+               // RFC 9665: "service.arpa." got handled above (it's in both IANA lists)
+               // RFC 6761: sec. 6.4.4 says "NXDOMAIN responses"
+               { KR_RULE_SUB_NXDOMAIN, "invalid."},
+               // RFC 6762: sec. 22.1.4
+               { KR_RULE_SUB_NXDOMAIN, "local."},
+               // "localhost." is below
+               // RFC 7686: sec. 2.4 says "NXDOMAIN"
+               { KR_RULE_SUB_NXDOMAIN, "onion."},
+               // RFC 6761: sec. 6.2.4 says "negative responses"
+               { KR_RULE_SUB_NXDOMAIN, "test."},
        };
 
        const int names_count = sizeof(names) / sizeof(names[0]);
        for (int i = 0; i < names_count; ++i) {
                knot_dname_t name_buf[KNOT_DNAME_MAXLEN];
                const knot_dname_t *dname =
-                       knot_dname_from_str(name_buf, names[i], sizeof(name_buf));
-               int ret = kr_rule_local_subtree(dname, KR_RULE_SUB_EMPTY,
+                       knot_dname_from_str(name_buf, names[i].name, sizeof(name_buf));
+               int ret = kr_rule_local_subtree(dname, names[i].rule,
                                                TTL, KR_RULE_TAGS_ALL, KR_RULE_OPTS_DEFAULT);
                CHECK_RET(ret);
                /* The double conversion is perhaps a bit wasteful, but it should be rare. */