Added RPZ configuration option "nsdname-wait-recurse"

This new option was added to fill a gap in RPZ configuration
options.

It was possible to instruct BIND wheter NSIP rewritting rules would
apply or not, as long as the required data was already in cache or not,
respectively, by means of the option nsip-wait-recurse.

A value of yes (default) could incur a little processing cost, since
BIND would need to recurse to find NS addresses in case they were not in
the cache.

This behavior could be changed by setting nsip-wait-recurse value to no,
in which case BIND would promptly return some error code if the NS IP addresses
data were not in cache, then BIND would start a recursive query
in background, so future similar requests would have the required data
(NS IPs) in cache, allowing BIND to apply NSIP rules accordingly.

A similar feature wasn't available for NSDNAME triggers, so this commit
adds the option nsdname-wait-recurse to fill this gap, as it was
expected by couple BIND users.

diff --git a/bin/named/server.c b/bin/named/server.c
index 781d9e013d5d9fc403c6eddc984044e91860efd5..2836429de3ff48b78d65bc7b24769f75b70bf67e 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -2557,6 +2557,13 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
                zones->p.qname_wait_recurse = false;
        }
 
+       sub_obj = cfg_tuple_get(rpz_obj, "nsdname-wait-recurse");
+       if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) {
+               zones->p.nsdname_wait_recurse = true;
+       } else {
+               zones->p.nsdname_wait_recurse = false;
+       }
+
        sub_obj = cfg_tuple_get(rpz_obj, "nsip-wait-recurse");
        if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) {
                zones->p.nsip_wait_recurse = true;

diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h
index 4e834d7fe4e0a0f98de598e970fe2ea111870a43..966aaee0ed8c9bbf7d97db2541353eaab86230ed 100644 (file)
--- a/lib/dns/include/dns/rpz.h
+++ b/lib/dns/include/dns/rpz.h
@@ -203,6 +203,7 @@ struct dns_rpz_popt {
        bool            break_dnssec;
        bool            qname_wait_recurse;
        bool            nsip_wait_recurse;
+       bool            nsdname_wait_recurse;
        unsigned int    min_ns_labels;
        dns_rpz_num_t   num_zones;
 };

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index d3b0d6a41fe84ca9a611dcb8baa678e0cdeb80f7..55e16c997b15f23ae9e4158e20fbbd5a6bb18428 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1736,6 +1736,7 @@ static cfg_tuplefielddef_t rpz_fields[] = {
        { "min-update-interval", &cfg_type_duration, 0 },
        { "min-ns-dots", &cfg_type_uint32, 0 },
        { "nsip-wait-recurse", &cfg_type_boolean, 0 },
+       { "nsdname-wait-recurse", &cfg_type_boolean, 0 },
        { "qname-wait-recurse", &cfg_type_boolean, 0 },
        { "recursive-only", &cfg_type_boolean, 0 },
        { "nsip-enable", &cfg_type_boolean, 0 },

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 482b3f3b01ed8e5e857ef3ecd0a53258e813de8a..a503109db0f9c8159eb188f03e3a296a6d887982 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -2826,7 +2826,10 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
                 */
                if (rpz_type == DNS_RPZ_TYPE_IP) {
                        result = DNS_R_NXRRSET;
-               } else if (!client->view->rpzs->p.nsip_wait_recurse) {
+               } else if (!client->view->rpzs->p.nsip_wait_recurse ||
+                          (!client->view->rpzs->p.nsdname_wait_recurse &&
+                           rpz_type == DNS_RPZ_TYPE_NSDNAME))
+               {
                        query_rpzfetch(client, name, type);
                        result = DNS_R_NXRRSET;
                } else {