NLnetLabs
HashedRPZ initial patch
Hi Folks,
As mentioned in email, I have been working on a HashedRPZ patch for unbound.
With the recent RPZ changes and other work, this took a bit longer than I wanted, but hereby it is: HashedRPZ support for unbound.
This will very likely need various improvements, amongst others:
- Documentation (how to configure and use it)
- Library & Packaging (especially as there is no packaging for HashedRPZ at the moment)
- "longtest" integration
thus comments welcome for these and likely other points.
and in the future also the inline key support and possibly some speed improvements (dname_str and sldns_str2wire_dname_buf usage are likely not superb for speed reasons; but considering HashedRPZ works on a full human-version label and not wire-label, one of those is unavoidable from my attempts at avoiding the conversion).
One way to test this, if there is a zone named rpz.example.net, use the hasher command to generate a hash:
echo "blocked.example.com" | ./hasher --key "YourVeryLongOOBKey" --origindomain "rpz.example.net"
which should result in:
j0gn0ttdghhmi.2v5iif0s6mecs.kqh7s2
Then in a zonefile, enter:
$ORIGIN rpz.example.net.
@ IN SOA . rpz.example.net. ( 2021080515 86400 7200 3600000 172800 )
@ IN NS ns1.example.net.
@ IN NS ns2.example.net.
j0gn0ttdghhmi.2v5iif0s6mecs.kqh7s2 IN CNAME .
and, if that zone file is then loaded with the following snippet in unbound.conf:
rpz:
name: rpz.example.net.
zonefile: rpz.example.net
rpz-hashed-keyoob: "YourVeryLongOOBKey"
and one performs a dig @ns1.example.net. blocked.example.com should return NXDOMAIN
(Having an actual blocked.example.com with a TXT record saying "you should not see me" or similar can be beneficial for testing)
Regards, Jeroen
