[RPZ] RPZ seen at MAAWG

Paul Vixie vixie at isc.org
Sat Oct 9 21:22:47 UTC 2010


> Date: Sat, 9 Oct 2010 16:24:02 -0400
> From: Robert Edmonds <edmonds at isc.org>
> 
> there is no "wildcard capability in zone file specifications that
> matches _all_ sub-domains" [emphasis mine].  wildcards do not match
> subdomains of themselves.
> 
> if RPZ is "just DNS", then i see no way to create an RPZ rule that can
> match the following name, short of setting the RPZ origin name to ".":
> 
> *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.bad.com.

understood, but i'm not worried about the bad guys doing that.  yet.



More information about the DNSfirewalls mailing list