[RPZ] something_else.pseudotld.tld and BIND and DNS in the wild

Fred Morris m3047 at m3047.net
Thu Apr 21 07:58:13 UTC 2011

It comes to my attention that some pseudo TLDs, for instance t35.com, allow 
underscores in owner names for which they offer up RRs. It doesn't strictly 
matter what they allow as what strictly matters, although yes ironically they 
are serving up A RRs like this. (They don't allow `rm -rf *`.t35.com in any 

The fun occurs when you try to add something_else.pseudotld.tld.my-rpz to the 
zone my-rpz. Adding

  something_else.pseudotld.tld.my-rpz CNAME .

is no problem with BIND. But out-of-the-box,

  something_else.pseudotld.tld.my-rpz A

is right out. So you can NX them, but you can't send them to a walled garden.

You can spend a lot of time (don't ask me how I know) tracking something like 
this down.

It looks like the check-names option can address this; I'll be playing with 
that tomorrow.

This matters to people implementing RPZs because you may not allow or condone 
domains or hostnames with underscores, but the people you are trying to 
sinkhole may be doing just that; and if I read correctly, the default for 
masters is to fail and slaves is to warn, and if you're implementing an RPZ 
you probably don't want either of those behaviors... you just want to 
silently add it to your RPZ because it is what it is.


Fred Morris

More information about the DNSfirewalls mailing list