From: TCY16 <tom@nlnetlabs.nl>
Date: Tue, 30 Nov 2021 10:32:01 +0000 (+0100)
Subject: change local-zone-default-ede keywords to '-', add missing {}, and add manpage entry... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ccb4c6c26c749b1ce310c191a7a0c5c2c927799;p=thirdparty%2Funbound.git

change local-zone-default-ede keywords to '-', add missing {}, and add manpage entry for local-zone-do-ede, local-zone-default-ede, and ede-local-zones
---

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index a1a2c3eff..c5ec304d0 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1561,6 +1561,56 @@ Override the localzone type for queries from addresses matching netblock.
 Use this localzone type, regardless the type configured for the local-zone
 (both tagged and untagged) and regardless the type configured using
 access\-control\-tag\-action.
+.TP 5
+.B local\-zone\-do\-ede: \fI<zone> <yes or no>
+If enabled, the responses from this local zone will include an Extended DNS
+Error (RFC8914). The type of error is dependent on the query. For example a
+query for a local-zone type "refuse" will result in EDE code 15 \- Blocked.
+By default this option is disabled.
+.TP 5
+.B local\-zone\-default\-ede: \fI<zone> <EDE code string or integer>
+If enabled, this zone will respond to requests resulting in an Extended DNS
+Error with the EDE code specified as input. This input can either be an integer
+corresponding to the EDE code number (e.g. 15 would be EDE Blocked), or a
+keyword from the following list corresponding to an EDE specified in RFC 8914.
+.TP 5
+EDE keywords:
+.nf
+\h'5'\fIother\fR
+\h'5'\fIunsupported-dnskey-algorithm\fR
+\h'5'\fIunsupported-ds-digest-type\fR
+\h'5'\fIstale-answer\fR
+\h'5'\fIforged\fR
+\h'5'\fIdnssec-indeterminate\fR
+\h'5'\fIdnssec-bogus\fR
+\h'5'\fIsignature-expired\fR
+\h'5'\fIsignature-not-yet-valid\fR
+\h'5'\fIdnskey-missing\fR
+\h'5'\fIrrsigs-missing\fR
+\h'5'\fIno-zone-key-bit-set\fR
+\h'5'\fInsec-missing\fR
+\h'5'\fIcached-error\fR
+\h'5'\fInot-ready\fR
+\h'5'\fIblocked\fR
+\h'5'\fIcensored\fR
+\h'5'\fIfiltered\fR
+\h'5'\fIprohibited\fR
+\h'5'\fIstale-nxdomain-answer\fR
+\h'5'\fInot-authoritative\fR
+\h'5'\fInot-supported\fR
+\h'5'\fIno-reachable-authority\fR
+\h'5'\fInetwork-error\fR
+\h'5'\fIinvalid-data\fR
+.fi
+.TP 5
+
+.B local\-zone\-do\-ede:: \fI<zone> <yes or no>
+If enabled, the responses from this local zone will include an Extended DNS
+Error (RFC8914). The type of error is dependent on the query. For example a
+query for a local-zone type "refuse" will result in EDE code 15 \- Blocked.
+By default this option is disabled.
+
+
 .TP 5
 .B response\-ip: \fI<IP-netblock> <action>
 This requires use of the "respip" module.
diff --git a/services/localzone.c b/services/localzone.c
index 6c284bed1..835c99538 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -782,15 +782,14 @@ lz_enter_default_ede_response(struct local_zones* zones, char* zname, char* code
 	dname_label_count = dname_count_labels(dname);
 
 	/* parse option in case of a textual string or integer value */
-	if (atoi(code) != 0)
+	if (atoi(code) != 0) {
 		default_ede = (int) ede_string_to_sldns_ede_code(code);
 		if (default_ede == -1) {
 			log_err("incorect EDE code string found for "
 					"local-zone-default-ede: %s", zname);
 			return 0;
 		}
-
-	else {
+	} else {
 		int tmp = atoi(code);
 		if (!(tmp >= 0 && tmp < 65635))
 			log_err("incorrect EDE code integer value for"
diff --git a/util/configparser.c b/util/configparser.c
index 7112d0eba..d561d342c 100644
--- a/util/configparser.c
+++ b/util/configparser.c
@@ -5490,30 +5490,30 @@ yyreduce:
     {
 		OUTYY(("P(server_local_zone_default_ede:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
 		if (!(strcmp((yyvsp[(3) - (3)].str), "other") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "unsupported_dnskey_algorithm") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "unsupported_ds_digest_type") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "stale_answer") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "unsupported-dnskey-algorithm") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "unsupported-ds-digest-type") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "stale-answer") == 0) &&
 			!(strcmp((yyvsp[(3) - (3)].str), "forged") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "dnssec_indeterminate") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "dnssec_bogus") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "signature_expired") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "signature_not_yet_valid") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "dnskey_missing") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "rrsigs_missing") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "no_zone_key_bit_set") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "nsec_missing") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "cached_error") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "not_ready") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "dnssec-indeterminate") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "dnssec-bogus") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "signature-expired") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "signature-not-yet-valid") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "dnskey-missing") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "rrsigs-missing") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "no-zone-key-bit-set") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "nsec-missing") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "cached-error") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "not-ready") == 0) &&
 			!(strcmp((yyvsp[(3) - (3)].str), "blocked") == 0) &&
 			!(strcmp((yyvsp[(3) - (3)].str), "censored") == 0) &&
 			!(strcmp((yyvsp[(3) - (3)].str), "filtered") == 0) &&
 			!(strcmp((yyvsp[(3) - (3)].str), "prohibited") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "stale_nxdomain_answer") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "not_authoritative") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "not_supported") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "no_reachable_authority") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "network_error") == 0) &&
-			!(strcmp((yyvsp[(3) - (3)].str), "invalid_data") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "stale-nxdomain-answer") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "not-authoritative") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "not-supported") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "no-reachable-authority") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "network-error") == 0) &&
+			!(strcmp((yyvsp[(3) - (3)].str), "invalid-data") == 0) &&
 			!(atoi((yyvsp[(3) - (3)].str)) == 0))
 			yyerror("expected default-ede keyword or integer"
 					"refering to the respecive ede code");
diff --git a/util/configparser.y b/util/configparser.y
index dd62df607..d51954d2e 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -2224,30 +2224,30 @@ server_local_zone_default_ede: VAR_LOCAL_ZONE_DEFAULT_EDE STRING_ARG STRING_ARG
 	{
 		OUTYY(("P(server_local_zone_default_ede:%s %s)\n", $2, $3));
 		if (!(strcmp($3, "other") == 0) &&
-			!(strcmp($3, "unsupported_dnskey_algorithm") == 0) &&
-			!(strcmp($3, "unsupported_ds_digest_type") == 0) &&
-			!(strcmp($3, "stale_answer") == 0) &&
+			!(strcmp($3, "unsupported-dnskey-algorithm") == 0) &&
+			!(strcmp($3, "unsupported-ds-digest-type") == 0) &&
+			!(strcmp($3, "stale-answer") == 0) &&
 			!(strcmp($3, "forged") == 0) &&
-			!(strcmp($3, "dnssec_indeterminate") == 0) &&
-			!(strcmp($3, "dnssec_bogus") == 0) &&
-			!(strcmp($3, "signature_expired") == 0) &&
-			!(strcmp($3, "signature_not_yet_valid") == 0) &&
-			!(strcmp($3, "dnskey_missing") == 0) &&
-			!(strcmp($3, "rrsigs_missing") == 0) &&
-			!(strcmp($3, "no_zone_key_bit_set") == 0) &&
-			!(strcmp($3, "nsec_missing") == 0) &&
-			!(strcmp($3, "cached_error") == 0) &&
-			!(strcmp($3, "not_ready") == 0) &&
+			!(strcmp($3, "dnssec-indeterminate") == 0) &&
+			!(strcmp($3, "dnssec-bogus") == 0) &&
+			!(strcmp($3, "signature-expired") == 0) &&
+			!(strcmp($3, "signature-not-yet-valid") == 0) &&
+			!(strcmp($3, "dnskey-missing") == 0) &&
+			!(strcmp($3, "rrsigs-missing") == 0) &&
+			!(strcmp($3, "no-zone-key-bit-set") == 0) &&
+			!(strcmp($3, "nsec-missing") == 0) &&
+			!(strcmp($3, "cached-error") == 0) &&
+			!(strcmp($3, "not-ready") == 0) &&
 			!(strcmp($3, "blocked") == 0) &&
 			!(strcmp($3, "censored") == 0) &&
 			!(strcmp($3, "filtered") == 0) &&
 			!(strcmp($3, "prohibited") == 0) &&
-			!(strcmp($3, "stale_nxdomain_answer") == 0) &&
-			!(strcmp($3, "not_authoritative") == 0) &&
-			!(strcmp($3, "not_supported") == 0) &&
-			!(strcmp($3, "no_reachable_authority") == 0) &&
-			!(strcmp($3, "network_error") == 0) &&
-			!(strcmp($3, "invalid_data") == 0) &&
+			!(strcmp($3, "stale-nxdomain-answer") == 0) &&
+			!(strcmp($3, "not-authoritative") == 0) &&
+			!(strcmp($3, "not-supported") == 0) &&
+			!(strcmp($3, "no-reachable-authority") == 0) &&
+			!(strcmp($3, "network-error") == 0) &&
+			!(strcmp($3, "invalid-data") == 0) &&
 			!(atoi($3) == 0))
 			yyerror("expected default-ede keyword or integer"
 					"refering to the respecive ede code");