[RPZ] Unwanted AAAA records; replace A with authoritative response

Vernon Schryver vjs at rhyolite.com
Wed Nov 2 14:29:32 UTC 2011

> From: Jan-Piet Mens <jpmens.dns at gmail.com>

> I've just been asked whether it would be possible to create an RPZ which
> hides broken (for any definition of broken) IPv6 sites. My solution is
> to create a record for the site with a corresponding A answer so that
> BIND replies there is no AAAA
>         jpmens.net.rpz-net.  A
> That works well enough with BIND 9.9.0a3, but it means records need to
> be populated with the A addresses.

It also 
   - requires continual monitoring of the broken site so that the
      RPZ rule can be removed when the site is fixed.
   - at best needs elaboration for subdomains of the broken site.
   - needs other records such as TXT for SPF and DKIM fans
   - breaks DNSSEC for IPv4

I wonder if the manual effort in using RPZ to patch other people's
IPv6 mistakes would be better to spent convincing them to withdraw
their AAAA records until their IPv6 problems are fixed.

> Is there some trick to have the original authoritative A response
> returned instead of manually adding it to the RPZ zone? Something like
>         jpmens.net.rpz-net.  A  *
> I've tried that, but BIND correctly complains about an incorrect
> address :)

I can't see a way to do that entirely within BIND.  However, if I
were using RPZ for something like that, I'd have a cron job that
monitored the broken IPv6 site (for at least some kinds of brokenness
such as silence on port 80 at the IPv6 addresses) to warn about the
need to remove the policy zone recors.  That cron job would also
maintain the records other than DNSSEC and AAAA in the policy zone.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list