From d65c6f8eef914d30004c4e22f34c1ec5f752e813 Mon Sep 17 00:00:00 2001 From: Otto Date: Tue, 12 Jan 2021 09:48:19 +0100 Subject: [PATCH] Add a note about RPZ changes in the upgrade guide. Also make the 4.4.0 changes a bit more prominent in the docs and fix a few dead links. --- pdns/recursordist/docs/lua-config/rpz.rst | 6 +++--- pdns/recursordist/docs/lua-scripting/dq.rst | 4 ++-- pdns/recursordist/docs/lua-scripting/hooks.rst | 9 +++++++-- pdns/recursordist/docs/upgrade.rst | 8 ++++++++ 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/pdns/recursordist/docs/lua-config/rpz.rst b/pdns/recursordist/docs/lua-config/rpz.rst index a6e55dc129..e340394a8f 100644 --- a/pdns/recursordist/docs/lua-config/rpz.rst +++ b/pdns/recursordist/docs/lua-config/rpz.rst @@ -1,7 +1,7 @@ .. _rpz: Response Policy Zones (RPZ) -=========================== +--------------------------- Response Policy Zone is an open standard developed by Paul Vixie (ISC and Farsight) and Vernon Schryver (Rhyolite), to modify DNS responses based on a policy loaded via a zonefile. @@ -124,13 +124,13 @@ extendedErrorCode ^^^^^^^^^^^^^^^^^ .. versionadded:: 4.5.0 -An extended error code (:rfc:`8914`) to set on RPZ hits. See :ref:`extended-errors`. +An extended error code (:rfc:`8914`) to set on RPZ hits. See :ref:`setting-extended-resolution-errors`. extendedErrorExtra ^^^^^^^^^^^^^^^^^^ .. versionadded:: 4.5.0 -An extended error extra text (:rfc:`8914`) to set on RPZ hits. See :ref:`extended-errors`. +An extended error extra text (:rfc:`8914`) to set on RPZ hits. See :ref:`setting-extended-resolution-errors`. maxTTL ^^^^^^ diff --git a/pdns/recursordist/docs/lua-scripting/dq.rst b/pdns/recursordist/docs/lua-scripting/dq.rst index debc6e0188..b44c82185b 100644 --- a/pdns/recursordist/docs/lua-scripting/dq.rst +++ b/pdns/recursordist/docs/lua-scripting/dq.rst @@ -15,13 +15,13 @@ The DNSQuestion object contains at least the following fields: .. versionadded:: 4.5.0 - The current extended error code, if any. See :ref:`extended-errors`. + The current extended error code, if any. See :ref:`setting-extended-resolution-errors`. .. attribute:: DNSQuestion.extendedErrorExtra .. versionadded:: 4.5.0 - The current extended error extra text, as a string, if any. See :ref:`extended-errors`. + The current extended error extra text, as a string, if any. See :ref:`setting-extended-resolution-errors`. .. attribute:: DNSQuestion.qname diff --git a/pdns/recursordist/docs/lua-scripting/hooks.rst b/pdns/recursordist/docs/lua-scripting/hooks.rst index 24299636da..1d7d679a7a 100644 --- a/pdns/recursordist/docs/lua-scripting/hooks.rst +++ b/pdns/recursordist/docs/lua-scripting/hooks.rst @@ -329,8 +329,11 @@ Modifying Policy Decisions The PowerDNS Recursor has a :doc:`policy engine based on Response Policy Zones (RPZ) <../lua-config/rpz>`. Starting with version 4.0.1 of the recursor, it is possible to alter this decision inside the Lua hooks. -If the decision is modified in a Lua hook, ``false`` should be returned, as the query is not actually handled by Lua so the decision is picked up by the Recursor. -The result of the policy decision is checked after :func:`preresolve` and :func:`postresolve` before 4.4.0. Beginning with version 4.4.0, the policy decision is checked after :func:`preresolve` and any :func:`policyEventFilter` call instead. +If the decision is modified in a Lua hook, ``false`` should be +returned, as the query is not actually handled by Lua so the decision +is picked up by the Recursor. + +Before 4.4.0, the result of the policy decision is checked after :func:`preresolve` and :func:`postresolve`. Beginning with version 4.4.0, the policy decision is checked after :func:`preresolve` and any :func:`policyEventFilter` call instead. For example, if a decision is set to ``pdns.policykinds.NODATA`` by the policy engine and is unchanged in :func:`preresolve`, the query is replied to with a NODATA response immediately after :func:`preresolve`. @@ -339,6 +342,8 @@ Example script .. code-block:: Lua + -- This script demonstrates modifying policies for versions before 4.4.0. + -- Starting with 4.4.0, it is preferred to use a policyEventFilter. -- Dont ever block my own domain and IPs myDomain = newDN("example.com") diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 6bbd2c9eb4..2640819b2d 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -7,6 +7,14 @@ When upgrading several versions, please read **all** notes applying to the upgra 4.3.x to 4.4.0 or master ------------------------ +Repsonse Policy Zones (RPZ) +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To conform better to the standard, RPZ processing has been modified. +This has consequences for the points in the resolving process where matches are checked and callbacks are called. +See :ref:`rpz` for details. Additionally a new type of callback has been introduced: :func:`policyEventFilter`. + + Parsing of unknown record types ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The parsing (from zone files) of unknown records types (of the form -- 2.47.2