RPZ: put SOA in modified responses

[Habbie]

• Program: Recursor
• Issue type: Bug report

Short description

When Recursor modifies a response as instructed by an RPZ, it should include the SOA of the RPZ zone in the Additional section of the response, as instructed by the last paragraph of https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-6

Environment

• Operating system: Debian buster
• Software version: git master @ b348322
• Software source: compile from git

Steps to reproduce

1. set up RPZ (I used the steps from RPZ: ENTs do not prevent wildcard expansion #8231)
2. send a query (like foo.2o7.net) that would be modified by the RPZ

Expected behaviour

NXDOMAIN + SOA in additional.

Actual behaviour

NXDOMAIN without SOA.

Other information

Usecase

Description

[aj-gh]

This would likely also help dnsdist to cache these answers (when running in front) ...

[chbruyand]

This would likely also help dnsdist to cache these answers (when running in front) ...

Hi ! Do you have anything specific in mind ? As far as I know, dnsdist doesn't care about the content of the response regarding caching it or not.

[rgacogne]

dnsdist kind of does, because it tries to get the minimum TTL of the response to determine how long it can cache it, and at the moment it refuses to cache an answer without any TTL at all to prevent caching a response forever. What we could do would be to use maxNegativeTTL when an answer has no record at all. It would be a breaking change but as long as we document it I'm fine with it.
Of course that only fixes it for dnsdist, so we might still want to return a SOA in RPZ-generated answers, which is the expected behaviour according to the current version of the RPZ specifications.