[RPZ] RPZ seen at MAAWG

Paul Vixie vixie at isc.org
Sat Oct 9 21:22:47 UTC 2010

> Date: Sat, 9 Oct 2010 16:24:02 -0400
> From: Robert Edmonds <edmonds at isc.org>
> there is no "wildcard capability in zone file specifications that
> matches _all_ sub-domains" [emphasis mine].  wildcards do not match
> subdomains of themselves.
> if RPZ is "just DNS", then i see no way to create an RPZ rule that can
> match the following name, short of setting the RPZ origin name to ".":
> *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.bad.com.

understood, but i'm not worried about the bad guys doing that.  yet.

More information about the DNSfirewalls mailing list