[RPZ] documentation

April Lorenzen ietf.siq at codelock.com
Tue Jun 28 23:04:03 UTC 2011

I am reading this:


In the 4th paragraph:

"IN-ARPA. prefix.B.B.B.B with prefix between 1 and 32 and B between 1
and 255 encodes an IPv4 address. "

The zone example in the same section (Response Policy Zone (RPZ)
Rewriting section) does use zeros so I suggest a correction in the
sentence above such as "between 0 and 255." I guess this would be an
obvious typo but since I was having a problem getting proper syntax
working today (now resolved) it did cause me to ponder and wonder what
I was getting wrong.


The last paragraph before the example configuration refers to a
"policy clause" where a single answer can be specified to override any
answers on individual records.

All of the policies in an RPZ can be overridden with a policy clause.
given says "do not override." no-op says "do nothing" regardless of
the policy in RPZ records. nxdomain causes all RPZ rules to generate
NXDOMAIN results. nodata gives nodata. cname domain causes all RPZ
rules to act as if the consisted of a "cname domain" record.

I can't find an example of exactly where to put something like cname
example.com. to act as the answer for all records in the zone.

Also can this feature be used to save bytes by not repeating on every
line CNAME example.com. or is there another feature for this?

I tried searching for any reference to a "policy clause" and tried
inserting cname example.com; into

response-policy { zone "bl"; cname example.com; };   but this caused a
fatal start up error " /etc/bind/named.options:18: unknown option
'cname' "

More information about the DNSfirewalls mailing list