static unsigned int g_numWorkerThreads;
static int g_tcpTimeout;
static uint16_t g_udpTruncationThreshold;
-static uint16_t g_xpfOptionCode{0};
+static uint16_t g_xpfRRCode{0};
static std::atomic<bool> statsWanted;
static std::atomic<bool> g_quiet;
static bool g_logCommonErrors;
bool& foundECS, EDNSSubnetOpts* ednssubnet, std::map<uint16_t, EDNSOptionView>* options,
bool& foundXPF, ComboAddress* xpfSource, ComboAddress* xpfDest)
{
- const bool lookForXPF = xpfSource != nullptr && g_xpfOptionCode != 0;
+ const bool lookForXPF = xpfSource != nullptr && g_xpfRRCode != 0;
const bool lookForECS = ednssubnet != nullptr;
const struct dnsheader* dh = reinterpret_cast<const struct dnsheader*>(question.c_str());
size_t questionLen = question.length();
}
}
}
- else if (lookForXPF && ntohs(drh->d_type) == g_xpfOptionCode && ntohs(drh->d_class) == QClass::IN && drh->d_ttl == 0) {
+ else if (lookForXPF && ntohs(drh->d_type) == g_xpfRRCode && ntohs(drh->d_class) == QClass::IN && drh->d_ttl == 0) {
if ((questionLen - pos) < ntohs(drh->d_clen)) {
return;
}
g_useIncomingECS = ::arg().mustDo("use-incoming-edns-subnet");
g_XPFAcl.toMasks(::arg()["xpf-allow-from"]);
- g_xpfOptionCode = ::arg().asNum("xpf-option-code");
+ g_xpfRRCode = ::arg().asNum("xpf-rr-code");
g_networkTimeoutMsec = ::arg().asNum("network-timeout");
::arg().setSwitch("log-rpz-changes", "Log additions and removals to RPZ zones at Info level")="no";
::arg().set("xpf-allow-from","XPF information is only processed from these subnets")="";
- ::arg().set("xpf-option-code","XPF option code to use")="0";
+ ::arg().set("xpf-rr-code","XPF option code to use")="0";
::arg().setCmd("help","Provide a helpful message");
::arg().setCmd("version","Print version string");
If a PID file should be written to `socket-dir`_
+.. _setting-xpf-allow-from:
+
``xpf-allow-from``
--------------
-.. versionadded:: 4.1.0
+------------------
+.. versionadded:: 4.2.0
- IP ranges, separated by commas
- Default: empty
-This is an experimental implementation of `draft-bellis-dnsop-xpf`.
+.. note::
+ This is an experimental implementation of `draft-bellis-dnsop-xpf <https://datatracker.ietf.org/doc/draft-bellis-dnsop-xpf/>`_.
+
The server will trust XPF records found in queries sent from those netmasks (both IPv4 and IPv6),
and will adjust queries' source and destination accordingly. This is especially useful when the recursor
-is placed behind a proxy like dnsdist.
-Note that the `allow-from`_ setting is still applied to the original source address, and thus access restriction
+is placed behind a proxy like `dnsdist <https://dnsdist.org>`_.
+Note that the ref:`setting-allow-from` setting is still applied to the original source address, and thus access restriction
should be done on the proxy.
-``xpf-option-code``
--------------
-.. versionadded:: 4.1.0
+.. _setting-xpf-rr-code:
+
+``xpf-rr-code``
+-------------------
+.. versionadded:: 4.2.0
- Integer
- Default: 0
-This is an experimental implementation of `draft-bellis-dnsop-xpf`.
-The option code to use for XPF records, as long as an official code has not been assigned to it. 0 means disabled.
+.. note::
+ This is an experimental implementation of `draft-bellis-dnsop-xpf <https://datatracker.ietf.org/doc/draft-bellis-dnsop-xpf/>`_.
+
+This option sets the resource record code to use for XPF records, as long as an official code has not been assigned to it.
+0 means that XPF is disabled.
Before upgrading, it is advised to read the :doc:`changelog/index`.
When upgrading several versions, please read **all** notes applying to the upgrade.
+4.1.x to 4.2.0 or master
+------------------------
+
+Two new settings have been added:
+
+- :ref:`setting-xpf-allow-from` can contain a list of IP addresses ranges from which `XPF (X-Proxied-For) <https://datatracker.ietf.org/doc/draft-bellis-dnsop-xpf/>`_ records will be trusted.
+- :ref:`setting-xpf-rr-code` should list the number of the XPF record to use (in lieu of an assigned code).
+
4.0.x to 4.1.0
--------------
projects / pdns / commitdiff