From b2c21d31dcd7b99ac55815d0d25c63d021d7aaae Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Thu, 1 Apr 2021 15:05:31 +0200
Subject: [PATCH] policy.STUB docs: recommend NO_EDNS and mention NO_0X20

---
 modules/policy/README.rst | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/policy/README.rst b/modules/policy/README.rst
index 83ca7729d..9ba76ac38 100644
--- a/modules/policy/README.rst
+++ b/modules/policy/README.rst
@@ -332,9 +332,10 @@ Actions :func:`policy.FORWARD`, :func:`policy.TLS_FORWARD` and :func:`policy.STU
           policy.STUB('192.0.2.1@5353'),
           {todname('1.168.192.in-addr.arpa')}))
 
-.. note:: Forwarding targets must support
+.. note:: By default, forwarding targets must support
    `EDNS <https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS>`_ and
    `0x20 randomization <https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00>`_.
+   See example in `Replacing part of the DNS tree`_.
 
 
 .. _tls-forwarding:
@@ -538,7 +539,11 @@ The easiest work-around is to disable reading from cache for grafted domains.
         '2.0.192.in-addr.arpa.'  -- this applies to reverse DNS tree as well
         })
    -- Beware: the rule order is important, as policy.STUB is not a chain action.
-   policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}),   extraTrees))
+   -- Flags: for "dumb" targets disabling EDNS can help (below) as DNSSEC isn't
+   -- validated anyway; in some of those cases adding 'NO_0X20' can also help,
+   -- though it also lowers defenses against off-path attacks on communication
+   -- between the two servers.
+   policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), extraTrees))
    policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees))
 
 Response policy zones
-- 
2.47.2