From b148318382e32eb9b62e4dc4d9dc0f0f441e168f Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tomas.krizek@nic.cz>
Date: Wed, 24 Jul 2019 11:47:00 +0200
Subject: [PATCH] modules/refuse_nord: document usage

---
 NEWS                                            |  5 +++++
 doc/modules.rst                                 |  1 +
 modules/refuse_nord/README.rst                  | 14 ++++++++++++++
 modules/refuse_nord/test.integr/refuse_nord.rpl |  1 +
 4 files changed, 21 insertions(+)
 create mode 100644 modules/refuse_nord/README.rst

diff --git a/NEWS b/NEWS
index 77ae26b7f..e26ddbc6b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
 Knot Resolver 4.y.z (2019-aa-bb)
 ================================
 
+Improvements
+------------
+
+- queries without RD bit set are REFUSED by default (!838)
+
 Bugfixes
 --------
 
diff --git a/doc/modules.rst b/doc/modules.rst
index 23b20155f..c6a60f5c6 100644
--- a/doc/modules.rst
+++ b/doc/modules.rst
@@ -36,3 +36,4 @@ Modules
 .. include:: ../modules/serve_stale/README.rst
 .. include:: ../modules/edns_keepalive/README.rst
 .. include:: ../modules/experimental_dot_auth/README.rst
+.. include:: ../modules/refuse_nord/README.rst
diff --git a/modules/refuse_nord/README.rst b/modules/refuse_nord/README.rst
new file mode 100644
index 000000000..a328beedb
--- /dev/null
+++ b/modules/refuse_nord/README.rst
@@ -0,0 +1,14 @@
+.. _mod-refuse_nord:
+
+Refuse queries without RD bit
+-----------------------------
+
+This module ensures all queries without RD (recursion desired) bit set in query
+are answered with REFUSED. This prevents snooping on the resolver's cache content.
+
+The module is loaded by default. If you'd like to disable this behavior, you can
+unload it:
+
+.. code-block:: lua
+
+   modules.unload('refuse_nord')
diff --git a/modules/refuse_nord/test.integr/refuse_nord.rpl b/modules/refuse_nord/test.integr/refuse_nord.rpl
index 6682b6be5..216635c25 100644
--- a/modules/refuse_nord/test.integr/refuse_nord.rpl
+++ b/modules/refuse_nord/test.integr/refuse_nord.rpl
@@ -6,6 +6,7 @@ SCENARIO_BEGIN Test refuse queries without RD bit
 
 STEP 10 QUERY
 ENTRY_BEGIN
+; RD bit is cleared
 SECTION QUESTION
 www.example.com IN A
 ENTRY_END
-- 
2.47.2