[RPZ] RPZ seen at MAAWG
Robert Edmonds
edmonds at isc.org
Sat Oct 9 20:24:02 UTC 2010
Paul Vixie wrote:
> > > #### SuperWildcard
> >
> > > The limitation of wildcard records could be an issue. I one lists:
> > > mecom.ae.@ IN A .
> > > *.mecom.ae.@ IN A .
> >
> > > How does one take care of www.qatar.mecom.ae without specifically
> > > listing *.qatar.mecom.ae in the zone? Do we need a Super Wildcard
> > > capability in zone file specifications that matches all sub-domains?
> > > not just the current level?
>
> sorry, hadn't seen this before. it is indeed the "superwild" you describe,
> since it's just dns. so just as *.vix.com would match www.lah1.vix.com in
> a normal dns zone file, so *.mecom.ae matches www.qatar.mecom.ae in an RPZ.
there is no "wildcard capability in zone file specifications that
matches _all_ sub-domains" [emphasis mine]. wildcards do not match
subdomains of themselves.
if RPZ is "just DNS", then i see no way to create an RPZ rule that can
match the following name, short of setting the RPZ origin name to ".":
*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.bad.com.
--
Robert Edmonds
edmonds at isc.org
More information about the DNSfirewalls
mailing list