From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Tue, 17 Sep 2019 15:42:05 +0000 (+0200)
Subject: modules/policy: DENY home.arpa. and local. domains
X-Git-Tag: v4.2.1~4^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e66466f232bb34e45966c62b40635ce19aefeb56;p=thirdparty%2Fknot-resolver.git

modules/policy: DENY home.arpa. and local. domains

- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4
- local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1
Well, it's just an approximation... if the user specifies a forwarding
policy, any special names will also get forwarded, even though the RFC
says not to.  And this code will also reply NXDOMAIN to home.arpa. DS.

Some of these DENY rules are perhaps unnecessary, but for now we keep
the same approach.  For arguments see the MR 855 thread and linked ML.
---

diff --git a/NEWS b/NEWS
index 322f44a4b..42d710e7b 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ Bugfixes
 Improvements
 ------------
 - add compatibility with (future) libknot 2.9
+- policy: special domains home.arpa. and local. get NXDOMAIN (!855)
 
 
 Knot Resolver 4.2.0 (2019-08-05)
diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index c65642429..cf6a0b738 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -744,6 +744,8 @@ local private_zones = {
 	'a.e.f.ip6.arpa.',
 	'b.e.f.ip6.arpa.',
 	'8.b.d.0.1.0.0.2.ip6.arpa.',
+	-- RFC8375
+	'home.arpa.',
 }
 policy.todnames(private_zones)
 
@@ -768,6 +770,7 @@ policy.special_names = {
 				todname('test.'),
 				todname('onion.'),
 				todname('invalid.'),
+				todname('local.'), -- RFC 8375.4
 			}),
 		count=0
 	},