[<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
[<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>]
[<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
+ [<span class="optional"> nsip-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>]
[<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>]
[<span class="optional"> automatic-interface-scan <em class="replaceable"><code>yes_or_no</code></em> </span>]
; </span>]
policy records.
</p></dd>
<dt><span class="term"><span class="command"><strong>RPZ-NSIP</strong></span></span></dt>
-<dd><p>
- NSIP triggers are encoded like IP triggers except as
+<dd>
+<p>
+ NSIP triggers match the IP addresses of authoritative
+ servers. They are enncoded like IP triggers, except as
subdomains of <span class="command"><strong>rpz-nsip</strong></span>.
NSDNAME and NSIP triggers are checked only for names with at
least <span class="command"><strong>min-ns-dots</strong></span> dots.
- The default value of <span class="command"><strong>min-ns-dots</strong></span> is 1 to
- exclude top level domains.
- </p></dd>
+ The default value of <span class="command"><strong>min-ns-dots</strong></span> is
+ 1, to exclude top level domains.
+ </p>
+<p>
+ If a name server's IP address is not yet known,
+ <span class="command"><strong>named</strong></span> will recursively look up
+ the IP address before applying an RPZ-NSIP rule.
+ This can cause a processing delay. To speed up
+ processing at the cost of precision, the
+ <span class="command"><strong>nsip-wait-recurse</strong></span> option
+ can be used: when set to <strong class="userinput"><code>no</code></strong>,
+ RPZ-NSIP rules will only be applied when a name
+ servers's IP address has already been looked up and
+ cached. If a server's IP address is not in the
+ cache, then the RPZ-NSIP rule will be ignored,
+ but the address will be looked up in the
+ background, and the rule will be applied
+ to subsequent queries. The default is
+ <strong class="userinput"><code>yes</code></strong>, meaning RPZ-NSIP
+ rules should always be applied even if an
+ address needs to be looked up first.
+ </p>
+</dd>
</dl></div>
<p>
</p>
Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
</p></li>
+<li class="listitem"><p>
+ A new <code class="option">nsip-wait-recurse</code> directive has been
+ added to RPZ, specifying whether to look up unknown name server
+ IP addresses and wait for a response before applying RPZ-NSIP rules.
+ The default is <strong class="userinput"><code>yes</code></strong>. If set to
+ <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
+ apply RPZ-NSIP rules to servers whose addresses are already cached.
+ The addresses will be looked up in the background so the rule can
+ be applied on subsequent queries. This improves performance when
+ the cache is cold, at the cost of temporary imprecision in applying
+ policy directives. [RT #35009]
+ </p></li>
<li class="listitem"><p>
Within the <code class="option">response-policy</code> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
Zone transfers now use smaller message sizes to improve
message compression. This results in reduced network usage.
</p></li>
-<li class="listitem"><p>
+<li class="listitem">
+<p>
Added support for the AVC resource record type (Application
Visibility and Control).
- </p></li>
+ </p>
+<p>
+ Changed <span class="command"><strong>rndc reconfig</strong></span> behaviour so that newly
+ added zones are loaded asynchronously and the loading does not
+ block the server.
+ </p>
+</li>
</ul></div>
</div>
<div class="section">
Retrieving the local port range from net.ipv4.ip_local_port_range
on Linux is now supported.
</p></li>
+<li class="listitem"><p>
+ A new <code class="option">nsip-wait-recurse</code> directive has been
+ added to RPZ, specifying whether to look up unknown name server
+ IP addresses and wait for a response before applying RPZ-NSIP rules.
+ The default is <strong class="userinput"><code>yes</code></strong>. If set to
+ <strong class="userinput"><code>no</code></strong>, <span class="command"><strong>named</strong></span> will only
+ apply RPZ-NSIP rules to servers whose addresses are already cached.
+ The addresses will be looked up in the background so the rule can
+ be applied on subsequent queries. This improves performance when
+ the cache is cold, at the cost of temporary imprecision in applying
+ policy directives. [RT #35009]
+ </p></li>
<li class="listitem"><p>
Within the <code class="option">response-policy</code> option, it is now
possible to configure RPZ rewrite logging on a per-zone basis
Zone transfers now use smaller message sizes to improve
message compression. This results in reduced network usage.
</p></li>
-<li class="listitem"><p>
+<li class="listitem">
+<p>
Added support for the AVC resource record type (Application
Visibility and Control).
- </p></li>
+ </p>
+<p>
+ Changed <span class="command"><strong>rndc reconfig</strong></span> behaviour so that newly
+ added zones are loaded asynchronously and the loading does not
+ block the server.
+ </p>
+</li>
</ul></div>
</div>
<div class="section">
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
files ( unlimited | default | <sizeval> );
- filter-aaaa { <address_match_element>; ... };
- filter-aaaa-on-v4 ( break-dnssec | <boolean> );
- filter-aaaa-on-v6 ( break-dnssec | <boolean> );
+ filter-aaaa { <address_match_element>; ... }; // not configured
+ filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+ filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
flush-zones-on-shutdown <boolean>;
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
- geoip-directory ( <quoted_string> | none );
- geoip-use-ecs <boolean>;
+ geoip-directory ( <quoted_string> | none ); // not configured
+ geoip-use-ecs ( <quoted_string> | none ); // not configured
has-old-clients <boolean>; // obsolete
heartbeat-interval <integer>;
host-statistics <boolean>; // not implemented
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches-per-server <integer> [ ( drop | fail ) ];
fetches-per-zone <integer> [ ( drop | fail ) ];
- filter-aaaa { <address_match_element>; ... };
- filter-aaaa-on-v4 ( break-dnssec | <boolean> );
- filter-aaaa-on-v6 ( break-dnssec | <boolean> );
+ filter-aaaa { <address_match_element>; ... }; // not configured
+ filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+ filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
projects / thirdparty / bind9.git / commitdiff
