- rpz skip nsec3param records, and nicer log for unsupported actions.

diff --git a/doc/Changelog b/doc/Changelog
index 0c81a22a8915ec0a28a7e912279cd620511a4106..ce796372cefe7872ed226d8c8477cf704b66997d 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,7 @@
          zonemd can be mandated for specific zones.
        - Fix doxygen and pydoc warnings.
        - Fix #429: rpz: url: with https: broken (regression in 1.13.1).
+       - rpz skip nsec3param records, and nicer log for unsupported actions.
 
 15 February 2021: Wouter
        - Fix #422: IPv6 fallback issues when IPv6 is not properly

diff --git a/services/rpz.c b/services/rpz.c
index 2b6b0ac3fccfa1f10e126eb302353994a4ca624d..40b8efe480230dfbfa1922a3db07101b50a09866 100644 (file)
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -162,6 +162,7 @@ rpz_rr_to_action(uint16_t rr_type, uint8_t* rdatawl, size_t rdatalen)
                case LDNS_RR_TYPE_RRSIG:
                case LDNS_RR_TYPE_NSEC:
                case LDNS_RR_TYPE_NSEC3:
+               case LDNS_RR_TYPE_NSEC3PARAM:
                        return RPZ_INVALID_ACTION;
                case LDNS_RR_TYPE_CNAME:
                        break;
@@ -479,8 +480,19 @@ rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
        int newzone = 0;
 
        if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION) {
-               verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s",
-                       rpz_action_to_string(a));
+               char str[255+1];
+               if(rrtype == LDNS_RR_TYPE_SOA || rrtype == LDNS_RR_TYPE_NS ||
+                       rrtype == LDNS_RR_TYPE_DNAME ||
+                       rrtype == LDNS_RR_TYPE_DNSKEY ||
+                       rrtype == LDNS_RR_TYPE_RRSIG ||
+                       rrtype == LDNS_RR_TYPE_NSEC ||
+                       rrtype == LDNS_RR_TYPE_NSEC3PARAM ||
+                       rrtype == LDNS_RR_TYPE_NSEC3 ||
+                       rrtype == LDNS_RR_TYPE_DS)
+                       return; /* no need to log these types as unsupported */
+               dname_str(dname, str);
+               verbose(VERB_ALGO, "RPZ: qname trigger, %s skipping unsupported action: %s",
+                       str, rpz_action_to_string(a));
                free(dname);
                return;
        }
@@ -552,8 +564,10 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 
        if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION ||
                respa == respip_invalid) {
-               verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s",
-                       rpz_action_to_string(a));
+               char str[255+1];
+               dname_str(dname, str);
+               verbose(VERB_ALGO, "RPZ: respip trigger, %s skipping unsupported action: %s",
+                       str, rpz_action_to_string(a));
                return 0;
        }