From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 19 Feb 2021 14:00:39 +0000 (+0100)
Subject: - rpz skip nsec3param records, and nicer log for unsupported actions.
X-Git-Tag: release-1.13.2rc1~266
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa53b933cc959f5732dd30447b90daca326c6658;p=thirdparty%2Funbound.git

- rpz skip nsec3param records, and nicer log for unsupported actions.
---

diff --git a/doc/Changelog b/doc/Changelog
index 0c81a22a8..ce796372c 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,7 @@
 	  zonemd can be mandated for specific zones.
 	- Fix doxygen and pydoc warnings.
 	- Fix #429: rpz: url: with https: broken (regression in 1.13.1).
+	- rpz skip nsec3param records, and nicer log for unsupported actions.
 
 15 February 2021: Wouter
 	- Fix #422: IPv6 fallback issues when IPv6 is not properly
diff --git a/services/rpz.c b/services/rpz.c
index 2b6b0ac3f..40b8efe48 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -162,6 +162,7 @@ rpz_rr_to_action(uint16_t rr_type, uint8_t* rdatawl, size_t rdatalen)
 		case LDNS_RR_TYPE_RRSIG:
 		case LDNS_RR_TYPE_NSEC:
 		case LDNS_RR_TYPE_NSEC3:
+		case LDNS_RR_TYPE_NSEC3PARAM:
 			return RPZ_INVALID_ACTION;
 		case LDNS_RR_TYPE_CNAME:
 			break;
@@ -479,8 +480,19 @@ rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 	int newzone = 0;
 
 	if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION) {
-		verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s",
-			rpz_action_to_string(a));
+		char str[255+1];
+		if(rrtype == LDNS_RR_TYPE_SOA || rrtype == LDNS_RR_TYPE_NS ||
+			rrtype == LDNS_RR_TYPE_DNAME ||
+			rrtype == LDNS_RR_TYPE_DNSKEY ||
+			rrtype == LDNS_RR_TYPE_RRSIG ||
+			rrtype == LDNS_RR_TYPE_NSEC ||
+			rrtype == LDNS_RR_TYPE_NSEC3PARAM ||
+			rrtype == LDNS_RR_TYPE_NSEC3 ||
+			rrtype == LDNS_RR_TYPE_DS)
+			return; /* no need to log these types as unsupported */
+		dname_str(dname, str);
+		verbose(VERB_ALGO, "RPZ: qname trigger, %s skipping unsupported action: %s",
+			str, rpz_action_to_string(a));
 		free(dname);
 		return;
 	}
@@ -552,8 +564,10 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 
 	if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION ||
 		respa == respip_invalid) {
-		verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s",
-			rpz_action_to_string(a));
+		char str[255+1];
+		dname_str(dname, str);
+		verbose(VERB_ALGO, "RPZ: respip trigger, %s skipping unsupported action: %s",
+			str, rpz_action_to_string(a));
 		return 0;
 	}