From: Pieter Lexis Date: Tue, 23 Jan 2018 09:09:11 +0000 (+0100) Subject: XPF, Rec: Rename Option Code to RR Code X-Git-Tag: dnsdist-1.3.0~126^2~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=59cb4a7918c345d782eb8a7f8578abf4b4d4ca62;p=pdns XPF, Rec: Rename Option Code to RR Code --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index a6f9f99db..699b38985 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -148,7 +148,7 @@ static unsigned int g_maxMThreads; static unsigned int g_numWorkerThreads; static int g_tcpTimeout; static uint16_t g_udpTruncationThreshold; -static uint16_t g_xpfOptionCode{0}; +static uint16_t g_xpfRRCode{0}; static std::atomic statsWanted; static std::atomic g_quiet; static bool g_logCommonErrors; @@ -1385,7 +1385,7 @@ static void getQNameAndSubnet(const std::string& question, DNSName* dnsname, uin bool& foundECS, EDNSSubnetOpts* ednssubnet, std::map* options, bool& foundXPF, ComboAddress* xpfSource, ComboAddress* xpfDest) { - const bool lookForXPF = xpfSource != nullptr && g_xpfOptionCode != 0; + const bool lookForXPF = xpfSource != nullptr && g_xpfRRCode != 0; const bool lookForECS = ednssubnet != nullptr; const struct dnsheader* dh = reinterpret_cast(question.c_str()); size_t questionLen = question.length(); @@ -1440,7 +1440,7 @@ static void getQNameAndSubnet(const std::string& question, DNSName* dnsname, uin } } } - else if (lookForXPF && ntohs(drh->d_type) == g_xpfOptionCode && ntohs(drh->d_class) == QClass::IN && drh->d_ttl == 0) { + else if (lookForXPF && ntohs(drh->d_type) == g_xpfRRCode && ntohs(drh->d_class) == QClass::IN && drh->d_ttl == 0) { if ((questionLen - pos) < ntohs(drh->d_clen)) { return; } @@ -3065,7 +3065,7 @@ static int serviceMain(int argc, char*argv[]) g_useIncomingECS = ::arg().mustDo("use-incoming-edns-subnet"); g_XPFAcl.toMasks(::arg()["xpf-allow-from"]); - g_xpfOptionCode = ::arg().asNum("xpf-option-code"); + g_xpfRRCode = ::arg().asNum("xpf-rr-code"); g_networkTimeoutMsec = ::arg().asNum("network-timeout"); @@ -3500,7 +3500,7 @@ int main(int argc, char **argv) ::arg().setSwitch("log-rpz-changes", "Log additions and removals to RPZ zones at Info level")="no"; ::arg().set("xpf-allow-from","XPF information is only processed from these subnets")=""; - ::arg().set("xpf-option-code","XPF option code to use")="0"; + ::arg().set("xpf-rr-code","XPF option code to use")="0"; ::arg().setCmd("help","Provide a helpful message"); ::arg().setCmd("version","Print version string"); diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 67eb4d311..ab3047b06 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1163,26 +1163,35 @@ TCP port where the webserver should listen on. If a PID file should be written to `socket-dir`_ +.. _setting-xpf-allow-from: + ``xpf-allow-from`` -------------- -.. versionadded:: 4.1.0 +------------------ +.. versionadded:: 4.2.0 - IP ranges, separated by commas - Default: empty -This is an experimental implementation of `draft-bellis-dnsop-xpf`. +.. note:: + This is an experimental implementation of `draft-bellis-dnsop-xpf `_. + The server will trust XPF records found in queries sent from those netmasks (both IPv4 and IPv6), and will adjust queries' source and destination accordingly. This is especially useful when the recursor -is placed behind a proxy like dnsdist. -Note that the `allow-from`_ setting is still applied to the original source address, and thus access restriction +is placed behind a proxy like `dnsdist `_. +Note that the ref:`setting-allow-from` setting is still applied to the original source address, and thus access restriction should be done on the proxy. -``xpf-option-code`` -------------- -.. versionadded:: 4.1.0 +.. _setting-xpf-rr-code: + +``xpf-rr-code`` +------------------- +.. versionadded:: 4.2.0 - Integer - Default: 0 -This is an experimental implementation of `draft-bellis-dnsop-xpf`. -The option code to use for XPF records, as long as an official code has not been assigned to it. 0 means disabled. +.. note:: + This is an experimental implementation of `draft-bellis-dnsop-xpf `_. + +This option sets the resource record code to use for XPF records, as long as an official code has not been assigned to it. +0 means that XPF is disabled. diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index aab2fed0b..ad68e1e57 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -4,6 +4,14 @@ Upgrade Guide Before upgrading, it is advised to read the :doc:`changelog/index`. When upgrading several versions, please read **all** notes applying to the upgrade. +4.1.x to 4.2.0 or master +------------------------ + +Two new settings have been added: + +- :ref:`setting-xpf-allow-from` can contain a list of IP addresses ranges from which `XPF (X-Proxied-For) `_ records will be trusted. +- :ref:`setting-xpf-rr-code` should list the number of the XPF record to use (in lieu of an assigned code). + 4.0.x to 4.1.0 --------------