From: Vladimír Čunát Date: Tue, 15 Aug 2017 14:12:12 +0000 (+0200) Subject: Merge branch 'master' into aho-corasick X-Git-Tag: v1.4.0~18^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd7891e911c65d60b0ec3cd9e314cd0cd0baacc7;p=thirdparty%2Fknot-resolver.git Merge branch 'master' into aho-corasick ... to resolve some simple conflicts. --- bd7891e911c65d60b0ec3cd9e314cd0cd0baacc7 diff --cc NEWS index 4828c1a3e,ff45a641b..7b577935a --- a/NEWS +++ b/NEWS @@@ -1,8 -1,35 +1,39 @@@ + Knot Resolver 1.4.0 (2017-0x-yy) + ================================ + + Incompatible changes + -------------------- + - lua: query flag-sets are no longer represented as plain integers. + kres.query.* no longer works, and kr_query_t lost trivial methods + 'hasflag' and 'resolved'. + You can instead write code like qry.flags.NO_0X20 = true. + +Improvements +------------ +- policy.suffix: update the aho-corasick code (#200) + + Knot Resolver 1.3.3 (2017-08-09) + ================================ + + Security + -------- + - Fix a critical DNSSEC flaw. Signatures might be accepted as valid + even if the signed data was not in bailiwick of the DNSKEY used to + sign it, assuming the trust chain to that DNSKEY was valid. + + Bugfixes + -------- + - iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL + - utils: fix possible incorrect seeding of the random generator + - modules/http: fix compatibility with the Prometheus text format + + Improvements + ------------ + - policy: implement remaining special-use domain names from RFC6761 (#205), + and make these rules apply only if no other non-chain rule applies + + Knot Resolver 1.3.2 (2017-07-28) ================================ diff --cc modules/policy/README.rst index 45e4fee50,d7cb29d7c..2c082ff19 --- a/modules/policy/README.rst +++ b/modules/policy/README.rst @@@ -4,25 -4,29 +4,29 @@@ Query policie -------------- This module can block, rewrite, or alter inbound queries based on user-defined policies. - By default, it blocks queries to reverse lookups in private subnets as per :rfc:`1918`, :rfc:`5735` and :rfc:`5737`. - You can however extend it to deflect `Slow drip DNS attacks `_ for example, or gray-list resolution of misbehaving zones. + By default, if no rule applies to a query, rules for special-use domain names are applied, as required by :rfc:`6761`. - There are several policies implemented: + You can however extend it e.g. to deflect `Slow drip DNS attacks `_ or gray-list resolution of misbehaving zones. - * ``pattern`` - - applies action if QNAME matches `regular expression `_ - * ``suffix`` - - applies action if QNAME suffix matches given list of suffixes (useful for "is domain in zone" rules), + There are several policy filters available in the ``policy.`` table: + + * ``all(action)`` + - always applies the action + * ``pattern(action, pattern)`` + - applies the action if QNAME matches a `regular expression `_ + * ``suffix(action, table)`` + - applies the action if QNAME suffix matches one of suffixes in the table (useful for "is domain in zone" rules), - uses `Aho-Corasick`_ string matching algorithm implemented by `@jgrahamc`_ (CloudFlare, Inc.) (BSD 3-clause) + uses `Aho-Corasick`_ string matching algorithm `from CloudFlare `_ (BSD 3-clause) + * :any:`policy.suffix_common` * ``rpz`` - - implementes a subset of the RPZ_ format. Currently it can be used with a zonefile, a binary database support is on the way. Binary database can be updated by an external process on the fly. + - implements a subset of RPZ_ in zonefile format. See below for details: :any:`policy.rpz`. * custom filter function - There are several defined actions: + There are several actions available in the ``policy.`` table: - * ``PASS`` - let the query pass through - * ``DENY`` - return NXDOMAIN answer - * ``DROP`` - terminate query resolution, returns SERVFAIL to requestor + * ``PASS`` - let the query pass through; it's useful to make exceptions before wider rules + * ``DENY`` - reply NXDOMAIN authoritatively + * ``DROP`` - terminate query resolution and return SERVFAIL to the requestor * ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP * ``FORWARD(ip)`` - solve a query via forwarding to an IP while validating and caching locally; the parameter can be a single IP (string) or a lua list of up to four IPs.