[RPZ] Fwd: strange result with rpz

iharrathi.ext at orange.com iharrathi.ext at orange.com
Thu Sep 22 15:06:44 UTC 2011 

Thanks and it's what i'm doing exactly now :)
But hope that ISC change the RPZ rule so next i have just to write 2 line. Coz now i have to write alot of line for each authorized domain. 
It's better to just put 2 line:
   a.b.c.myzone.fr     CNAME   a.b.c.myzone.fr.
    *.fr                A       127.0.0.17

Thanks
Issam Harrathi.

-----Message d'origine-----
De : Vernon Schryver [mailto:vjs at rhyolite.com] 
Envoyé : mercredi 21 septembre 2011 19:15
À : HARRATHI Issam Ext OLNC/DPS
Cc : dnsrpz-interest at lists.isc.org
Objet : RE: [RPZ] Fwd: strange result with rpz

> From: <iharrathi.ext at orange.com>
> To: Raymond Dijkxhoorn <raymond at prolocation.net>,
>         Vernon Schryver <vjs at rhyolite.com>
> CC: "dnsrpz-interest at lists.isc.org" <dnsrpz-interest at lists.isc.org>

> Hi you're missing the point :)
> Yes what i want is that everything in *.fr have like answer
> 127.0.0.17 except a.b.c.myzone.fr this is why i write:
>  		a.b.c.myzone.fr IN CNAME a.b.c.myzone.fr.
> 		*.fr           IN      A       127.0.0.17
>
> My problem is that with this configuration i have also real answer for 
> www.myzone.fr, ftp.myzone.fr, x.y.z.myzone.fr instead of the
> 127.0.0.17 desired.
> Hope i was clear.

The results you are seeing come from the way DNS wildcards work.
See for example this parahgraph in
http://en.wikipedia.org/wiki/Wildcard_DNS_record

    To quote RFC 1912, "A common mistake is thinking that a wildcard
    MX for a zone will apply to all hosts in the zone. A wildcard
    MX will apply only to names in the zone which aren't listed in
    the DNS at all." That is, if there is a wild card MX for
    *.example.com, and an A record (but no MX record) for
    www.example.com, the correct response (as per RFC 1034) to an
    MX request for www.example.com is "no error, but no data"; the
    expected response is the MX record attached to *.example.com.

In other words, the existence of the a.b.c.myzone.fr RPZ record requires that the *.fr wildcard not match any sub-domain of myzone.fr.

To get what I understand to be the desired (albeit surprising) results, try:
    a.b.c.myzone.fr     CNAME   a.b.c.myzone.fr.
    *.a.b.c.myzone.fr   A       127.0.0.17
    *.b.c.myzone.fr     A       127.0.0.17
    *.c.myzone.fr       A       127.0.0.17
    *.fr                A       127.0.0.17


Vernon Schryver    vjs at rhyolite.com

********************************************************************************
IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler  a l expediteur et effacer ce message 
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout virus.

IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
********************************************************************************

More information about the DNSfirewalls mailing list