modules/policy: Return NODATA on *. action in rpz file

diff --git a/modules/policy/README.rst b/modules/policy/README.rst
index db9ed4dcb55995f56690e497ae76ffcc6d759a78..031f0afe2ea43fca3308134d541df439b783111a 100644 (file)
--- a/modules/policy/README.rst
+++ b/modules/policy/README.rst
@@ -546,17 +546,13 @@ Response policy zones
    :header: "RPZ Right Hand Side", "Knot Resolver Action", "BIND Compatibility"
 
    "``.``", "``action`` is used", "compatible if ``action`` is :func:`policy.DENY`"
-   "``*.``", "``action`` is used", "good enough [#]_ if ``action`` is :func:`policy.DENY`"
+   "``*.``", ":func:`policy.ANSWER`", "yes"
    "``rpz-passthru.``", ":func:`policy.PASS`", "yes"
    "``rpz-tcp-only.``", ":func:`policy.TC`", "yes"
    "``rpz-drop.``", ":func:`policy.DROP`", "no [#]_"
    "fake A/AAAA", ":func:`policy.ANSWER`", "yes"
    "fake CNAME", "not supported", "no"
 
-  .. [#] RPZ action ``*.`` in BIND causes *NODATA* answer
-     but typically our users configure ``policy.rpz(policy.DENY, ...)``
-     which replies with *NXDOMAIN*. Good news is that from client's
-     perspective it does not make a visible difference.
   .. [#] Our :func:`policy.DROP` returns *SERVFAIL* answer (for historical reasons).
 
 

diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index 6cbc991bfcf06ba7cb5603d1437c4a6bb81db9d7..3448ce3dc55971898594d6e200afac6edc1151e4 100644 (file)
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -382,7 +382,7 @@ local function rpz_parse(action, path)
        local action_map = {
                -- RPZ Policy Actions
                ['\0'] = action,
-               ['\1*\0'] = action, -- deviates from RPZ spec
+               ['\1*\0'] = policy.ANSWER({}, true),
                ['\012rpz-passthru\0'] = policy.PASS, -- the grammar...
                ['\008rpz-drop\0'] = policy.DROP,
                ['\012rpz-tcp-only\0'] = policy.TC,

diff --git a/modules/policy/policy.rpz.test.lua b/modules/policy/policy.rpz.test.lua
index e2637d933a17218da77bdb8413010bae8e713cd6..4f219ca2035ca6c18b3824599532ef9808feb74e 100644 (file)
--- a/modules/policy/policy.rpz.test.lua
+++ b/modules/policy/policy.rpz.test.lua
@@ -46,7 +46,7 @@ local function test_rpz()
        check_answer('"CNAME ." return NXDOMAIN',
                'nxdomain.', kres.type.A, kres.rcode.NXDOMAIN)
        check_answer('"CNAME *." return NXDOMAIN',
-               'nodata.', kres.type.A, kres.rcode.NXDOMAIN)
+               'nodata.', kres.type.A, kres.rcode.NOERROR)
        check_answer('"CNAME rpz-drop." be dropped',
                'rpzdrop.', kres.type.A, kres.rcode.SERVFAIL)
        check_answer('"CNAME rpz-passthru" return A rrset',

diff --git a/tests/integration/deckard b/tests/integration/deckard
index 6ed64e906a4766f3c553bdb04d713c5048038962..a90e8deacafc3a66b6109e62986fb2a72ea57c49 160000 (submodule)
--- a/tests/integration/deckard
+++ b/tests/integration/deckard
@@ -1 +1 @@
-Subproject commit 6ed64e906a4766f3c553bdb04d713c5048038962
+Subproject commit a90e8deacafc3a66b6109e62986fb2a72ea57c49