modules/refuse_nord: document usage

author: Tomas Krizek <tomas.krizek@nic.cz> 2019-07-24 11:47:00 +0200
committer: Tomas Krizek <tomas.krizek@nic.cz> 2019-07-24 11:53:21 +0200
commit: b148318382e32eb9b62e4dc4d9dc0f0f441e168f (patch)
tree: 40a0cf63fd37e2e7505dd18032f3f130a0035178 /modules
parent: modules/refuse_nord: add test (diff)
download: knot-resolver-b148318382e32eb9b62e4dc4d9dc0f0f441e168f.tar.xz
knot-resolver-b148318382e32eb9b62e4dc4d9dc0f0f441e168f.zip
2 files changed, 15 insertions, 0 deletions
diff --git a/modules/refuse_nord/README.rst b/modules/refuse_nord/README.rst
new file mode 100644
index 00000000..a328beed
--- /dev/null
+++ b/modules/refuse_nord/README.rst
@@ -0,0 +1,14 @@
+.. _mod-refuse_nord:
+
+Refuse queries without RD bit
+-----------------------------
+
+This module ensures all queries without RD (recursion desired) bit set in query
+are answered with REFUSED. This prevents snooping on the resolver's cache content.
+
+The module is loaded by default. If you'd like to disable this behavior, you can
+unload it:
+
+.. code-block:: lua
+
+   modules.unload('refuse_nord')
diff --git a/modules/refuse_nord/test.integr/refuse_nord.rpl b/modules/refuse_nord/test.integr/refuse_nord.rpl
index 6682b6be..216635c2 100644
--- a/modules/refuse_nord/test.integr/refuse_nord.rpl
+++ b/modules/refuse_nord/test.integr/refuse_nord.rpl
@@ -6,6 +6,7 @@ SCENARIO_BEGIN Test refuse queries without RD bit
 
 STEP 10 QUERY
 ENTRY_BEGIN
+; RD bit is cleared
 SECTION QUESTION
 www.example.com IN A
 ENTRY_END
author	Tomas Krizek <tomas.krizek@nic.cz>	2019-07-24 11:47:00 +0200
committer	Tomas Krizek <tomas.krizek@nic.cz>	2019-07-24 11:53:21 +0200
commit	b148318382e32eb9b62e4dc4d9dc0f0f441e168f (patch)
tree	40a0cf63fd37e2e7505dd18032f3f130a0035178 /modules
parent	modules/refuse_nord: add test (diff)
download	knot-resolver-b148318382e32eb9b62e4dc4d9dc0f0f441e168f.tar.xz knot-resolver-b148318382e32eb9b62e4dc4d9dc0f0f441e168f.zip