3496. [func] Improvements to RPZ performance. The "response-policy"
syntax now includes a "min-ns-dots" clause, with
default 1, to exclude top-level domains from
NSIP and NSDNAME checking. [RT #32251]
Response policy (rpz) changes to
- add zone statistics
- speed up by adding min-ns-dots to the response-policy syntax
with a default of 1
- detect and reject policy zones with a database other than rbt
only rbtdb has rpz hooks
- allow empty response-policy{} statement
- make --enable-rpz-nsip and --enable-rpz-nsdname the default
(cherry picked from commit 8159e80279408be50d31db5d853ae2736bd1934d)
Squashed commit of the following:
commit 7ad3daade513c94a1c92ee7c91c112f161d13ef4
Author: Mark Andrews <marka@isc.org>
Date: Mon Dec 3 15:03:44 2012 +1100
look at the second token to determine if a TXT record in of unknown format or not
commit 7df32138462646f6aee84ffa56d02ac24ec8d672
Author: Mark Andrews <marka@isc.org>
Date: Mon Dec 3 12:42:18 2012 +1100
'"\#"' was incorrectly being treated as a unknown data escape sequence.
commit 4d29cea2ea05491a7afebc343e41d9b6ad58f068
commit 3211da9716e5ecc0bb758666db70a667ca5a944e
commit 884b6f5d5e9b1f50757c606adafabe382b90c80b
commit 53f82565f72f091a46caed754db160e4a7a2d161
Merge: 8f73664 9698f42
commit 8f73664e7bdc04f766ddcccfb5fc5f857a22326a
for rt26172
Add
- optional "recursive-only yes|no" to the response-policy statement
- optional max-policy-ttl to limit the lies that "recursive-only no"
can introduce into resolvers' caches
- test that queries with RD=0 are not rewritten by default
- performance smoke test
Change encoding of PASSTHRU action to "rpz-passthru".
(The old encoding is still accepted.)
Fix rt26180 assert botch in zone_findrdataset() in this branch
as well.
Fix missing signatures on NOERROR results despite RPZ hits
when there are signatures and the client asks for DNSSEC,
3329. [bug] Handle RRSIG signer-name case consistently: We
generate RRSIG records with the signer-name in
lower case. We accept them with any case, but if
they fail to validate, we try again in lower case.
[RT #27451]
