[RPZ] Lack of RRTYPE-specific filtering
Paul Vixie
vixie at isc.org
Mon Aug 9 17:49:20 UTC 2010
> From: Florian Weimer <fweimer at bfk.de>
> Date: Mon, 09 Aug 2010 17:13:00 +0000
>
> Existing response policy providers in Germany seem to face a requirement
> that a policy can be applied selectively to A and MX RRs. In other
> words, it should be possible to supply a policy response for QTYPE=A, but
> not for QTYPE=MX, for the same QNAME. I don't think this can be encoded
> in the current proposal.
right. if you encode a policy for QTYPE=A but for nothing else, then the
answer to QTYPE<>A will always be NOERROR/ANCOUNT=0. this seems useless,
and i'm open to changing the default to be that QTYPE<>A would get a normal
answer. we'd have to add an encoding (probably RPZ QTYPE=NULL) to get the
current behaviour for those who (for reasons i can't imagine) need that.
other voices?
More information about the DNSfirewalls
mailing list