HashedRPZ initial patch

[massar]

Hi Folks,

As mentioned in email, I have been working on a HashedRPZ patch for unbound.

With the recent RPZ changes and other work, this took a bit longer than I wanted, but hereby it is: HashedRPZ support for unbound.

This will very likely need various improvements, amongst others:

• Documentation (how to configure and use it)
• Library & Packaging (especially as there is no packaging for HashedRPZ at the moment)
• "longtest" integration

thus comments welcome for these and likely other points.

and in the future also the inline key support and possibly some speed improvements (dname_str and sldns_str2wire_dname_buf usage are likely not superb for speed reasons; but considering HashedRPZ works on a full human-version label and not wire-label, one of those is unavoidable from my attempts at avoiding the conversion).

One way to test this, if there is a zone named rpz.example.net, use the hasher command to generate a hash:

echo "blocked.example.com" | ./hasher --key "YourVeryLongOOBKey" --origindomain "rpz.example.net"

which should result in:

j0gn0ttdghhmi.2v5iif0s6mecs.kqh7s2

Then in a zonefile, enter:

$ORIGIN rpz.example.net.
@ IN SOA . rpz.example.net. ( 2021080515 86400 7200 3600000 172800 )
@                               IN NS         ns1.example.net.
@                               IN NS         ns2.example.net.
j0gn0ttdghhmi.2v5iif0s6mecs.kqh7s2 IN CNAME .

and, if that zone file is then loaded with the following snippet in unbound.conf:

rpz:
	name: rpz.example.net.
	zonefile: rpz.example.net
	rpz-hashed-keyoob: "YourVeryLongOOBKey"

and one performs a dig @ns1.example.net. blocked.example.com should return NXDOMAIN

(Having an actual blocked.example.com with a TXT record saying "you should not see me" or similar can be beneficial for testing)

Regards,
Jeroen