From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Tue, 30 Jun 2020 08:51:08 +0000 (+0200)
Subject: policy.rpz: don't warn on NS and SOA records
X-Git-Tag: v5.1.2~1^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a96d514c945d0aa147d83766f2fa33b41860ecd;p=thirdparty%2Fknot-resolver.git

policy.rpz: don't warn on NS and SOA records

Also utilize table indexing.
This was a "regression" from extending RPZ support in 5.1.0.
NS and SOA are even mandatory, as RPZ is supposed to be a valid zone:
https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00#section-2
---

diff --git a/NEWS b/NEWS
index 025c2fbd7..2f21d7a6e 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ Bugfixes
 - cache garbage collector: fix flushing of messages to logs (!1009)
 - cache garbage collector: fix insufficient GC on 32-bit systems (!1009)
 - graphite module: do not block resolver on TCP failures (!1014)
+- policy.rpz: don't warn on NS and SOA records (!1016)
 
 
 Knot Resolver 5.1.1 (2020-05-19)
diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index b9b90f5e8..8a4e94079 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -388,22 +388,17 @@ local function rpz_parse(action, path)
 		['\012rpz-tcp-only\0'] = policy.TC,
 		-- Policy triggers @NYI@
 	}
-	local unsupp_rrs = function (rtype)
-		local set = {
-			kres.type.DNAME,
-			kres.type.NS,
-			kres.type.SOA,
-			kres.type.DNSKEY,
-			kres.type.DS,
-			kres.type.RRSIG,
-			kres.type.NSEC,
-			kres.type.NSEC3,
-		}
-		for _, l in pairs(set) do
-			if rtype == l then return true end
-		end
-		return false
-	end
+	-- RR types to be skipped; boolean denoting whether to throw a warning.
+	local rrtype_bad = {
+		[kres.type.DNAME]  = true,
+		[kres.type.NS]     = false, -- it's mandatory; could be improved to warn based on owner
+		[kres.type.SOA]    = false, -- it's mandatory; could be improved to warn based on owner
+		[kres.type.DNSKEY] = true,
+		[kres.type.DS]     = true,
+		[kres.type.RRSIG]  = true,
+		[kres.type.NSEC]   = true,
+		[kres.type.NSEC3]  = true,
+	}
 	local parser = require('zonefile').new()
 	local ok, errstr = parser:open(path)
 	if not ok then
@@ -447,12 +442,15 @@ local function rpz_parse(action, path)
 		else
 			-- Warn when NYI
 			if #name then
-				if unsupp_rrs(parser.r_type) then
+				local is_bad = rrtype_bad[parser.r_type]
+				if is_bad == true then
 					log('[poli] RPZ %s:%d: RR type %s is not allowed in RPZ', path, tonumber(parser.line_counter),
 					    kres.tostring.type[parser.r_type])
-				else
+				elseif is_bad == nil then
 					if new_actions[name] == nil then new_actions[name] = {} end
 					new_actions[name][parser.r_type] = { ttl=parser.r_ttl, rdata=rdata }
+				else
+					assert(is_bad == false)
 				end
 			end
 		end