[RPZ] Fwd: strange result with rpz

Vernon Schryver vjs at rhyolite.com
Fri Sep 16 21:16:40 UTC 2011

> From: <iharrathi.ext at orange-ftgroup.com>

> Hi i implement a dns recursive server that only answer a.b.c.myzone.fr so f=
> or this i do this:
> in named.conf:

> response-policy { zone "rpz.zone";};

> and this is the zone rpz.zone:

> a.b.c.myzone.fr IN CNAME a.b.c.myzone.fr.

> *.fr           IN      A

> The problem is that my server answer a.b.c.myzone.fr  but also answer all t=
> he zone myzone.fr like www.myzone.fr , ftp.myzone.fr<ftp://ftp.myzone.fr>, =
> ....why?

If I understand that description and have not overlooked something,
then I would predict that all requests with RD=1 for example.fr,
ftp.example.myzone.fr, ftp.myzone.fr, myzone.fr and all other domains
matching *.fr except a.b.c.myzone.fr are answered with

That is because the "*.fr IN A" policy in the rpz.zone
file requires rewriting all answers to all requests for A RRs for any
domain matching *.fr to  All valid answers including
NXDOMAIN are rewritten.  The a.b.c.myzone.fr policy record exempts
only a.b.c.myzone.fr from rewriting.

Evidently those are not the desired results.  What was desired?

The "*.fr IN A" policy record seems a little unusual.

Vernon Schryver    vjs at rhyolite.com

P.S. See https://lists.isc.org/mailman/listinfo/dnsrpz-interest to 
subscribe to the ISC dnsrpz-interest mailing list.

More information about the DNSfirewalls mailing list