modules/refuse_nord: document usage

diff --git a/NEWS b/NEWS
index 77ae26b7f43b12bc34d5322d7af78d754f5c1e8c..e26ddbc6b2861caf3bfa6502f61ad6476754cf57 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
 Knot Resolver 4.y.z (2019-aa-bb)
 ================================
 
+Improvements
+------------
+
+- queries without RD bit set are REFUSED by default (!838)
+
 Bugfixes
 --------
 

diff --git a/doc/modules.rst b/doc/modules.rst
index 23b20155f407c2418bbfca85a91ba49b6fddb7bc..c6a60f5c6464fa4e7025606d9fbc3b255b05104b 100644 (file)
--- a/doc/modules.rst
+++ b/doc/modules.rst
@@ -36,3 +36,4 @@ Modules
 .. include:: ../modules/serve_stale/README.rst
 .. include:: ../modules/edns_keepalive/README.rst
 .. include:: ../modules/experimental_dot_auth/README.rst
+.. include:: ../modules/refuse_nord/README.rst

diff --git a/modules/refuse_nord/README.rst b/modules/refuse_nord/README.rst
new file mode 100644 (file)
index 0000000..a328bee
--- /dev/null
+++ b/modules/refuse_nord/README.rst
@@ -0,0 +1,14 @@
+.. _mod-refuse_nord:
+
+Refuse queries without RD bit
+-----------------------------
+
+This module ensures all queries without RD (recursion desired) bit set in query
+are answered with REFUSED. This prevents snooping on the resolver's cache content.
+
+The module is loaded by default. If you'd like to disable this behavior, you can
+unload it:
+
+.. code-block:: lua
+
+   modules.unload('refuse_nord')

diff --git a/modules/refuse_nord/test.integr/refuse_nord.rpl b/modules/refuse_nord/test.integr/refuse_nord.rpl
index 6682b6be56bcd85592da01dc5709c46bff80e781..216635c254457724c3b3323460a59ba9172b3b24 100644 (file)
--- a/modules/refuse_nord/test.integr/refuse_nord.rpl
+++ b/modules/refuse_nord/test.integr/refuse_nord.rpl
@@ -6,6 +6,7 @@ SCENARIO_BEGIN Test refuse queries without RD bit
 
 STEP 10 QUERY
 ENTRY_BEGIN
+; RD bit is cleared
 SECTION QUESTION
 www.example.com IN A
 ENTRY_END