[RPZ] Lack of RRTYPE-specific filtering

Paul Vixie vixie at isc.org
Mon Aug 9 17:49:20 UTC 2010

> From: Florian Weimer <fweimer at bfk.de>
> Date: Mon, 09 Aug 2010 17:13:00 +0000
> Existing response policy providers in Germany seem to face a requirement
> that a policy can be applied selectively to A and MX RRs.  In other
> words, it should be possible to supply a policy response for QTYPE=A, but
> not for QTYPE=MX, for the same QNAME.  I don't think this can be encoded
> in the current proposal.

right.  if you encode a policy for QTYPE=A but for nothing else, then the
answer to QTYPE<>A will always be NOERROR/ANCOUNT=0.  this seems useless,
and i'm open to changing the default to be that QTYPE<>A would get a normal
answer.  we'd have to add an encoding (probably RPZ QTYPE=NULL) to get the
current behaviour for those who (for reasons i can't imagine) need that.

other voices?

More information about the DNSfirewalls mailing list