modules/policy: DENY home.arpa. and local. domains

- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4
- local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1
Well, it's just an approximation... if the user specifies a forwarding
policy, any special names will also get forwarded, even though the RFC
says not to.  And this code will also reply NXDOMAIN to home.arpa. DS.

Some of these DENY rules are perhaps unnecessary, but for now we keep
the same approach.  For arguments see the MR 855 thread and linked ML.

diff --git a/NEWS b/NEWS
index 322f44a4bcef64ff880eb05cf5f8d498b066a143..42d710e7beb842a87b62eebc55341e37577ce38f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ Bugfixes
 Improvements
 ------------
 - add compatibility with (future) libknot 2.9
+- policy: special domains home.arpa. and local. get NXDOMAIN (!855)
 
 
 Knot Resolver 4.2.0 (2019-08-05)

diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index c65642429bdd3e202acbacd9ae7d0c54232f4d02..cf6a0b73859f8c45f9888a39aae50f8acd7727de 100644 (file)
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -744,6 +744,8 @@ local private_zones = {
        'a.e.f.ip6.arpa.',
        'b.e.f.ip6.arpa.',
        '8.b.d.0.1.0.0.2.ip6.arpa.',
+       -- RFC8375
+       'home.arpa.',
 }
 policy.todnames(private_zones)
 
@@ -768,6 +770,7 @@ policy.special_names = {
                                todname('test.'),
                                todname('onion.'),
                                todname('invalid.'),
+                               todname('local.'), -- RFC 8375.4
                        }),
                count=0
        },