[RPZ] Unwanted AAAA records; replace A with authoritative response

Jan-Piet Mens jpmens.dns at gmail.com
Wed Nov 2 13:42:13 UTC 2011


I've just been asked whether it would be possible to create an RPZ which
hides broken (for any definition of broken) IPv6 sites. My solution is
to create a record for the site with a corresponding A answer so that
BIND replies there is no AAAA

        jpmens.net.rpz-net.  A

That works well enough with BIND 9.9.0a3, but it means records need to
be populated with the A addresses.

Is there some trick to have the original authoritative A response
returned instead of manually adding it to the RPZ zone? Something like

        jpmens.net.rpz-net.  A  *

I've tried that, but BIND correctly complains about an incorrect
address :)

Thank you,


More information about the DNSfirewalls mailing list