[RPZ] default masterfile-format in BIND 9.9+ has changed from "text" to "raw"
Fred Morris
m3047 at m3047.net
Fri Dec 21 04:39:37 UTC 2012
As a practical matter, serious RPZ consuming shops will want to
audit/verify/review/analyze their RPZ zone feeds (the zones to which they
subscribe).
Comes to my attention that the default masterfile-format has changed from
text to raw with BIND 9.9.
I suppose shops with 1 million+ entries across zones and without DNS
infrastructure redundancy might clamour (and even pay money) for
sub-second startup, but the typical RPZ consumer is running a caching
resolver (contrasted to authoritative), and (hopefully) in a redundant
environment. Looking beyond BIND, beyond DNS: I don't see operational
reality moving to default support of proprietary data formats (which this
definitionally is), but rather to recognized and well-understood formats
(which the "typical" zonefile format is).
Anyway, at the least this seems like something which should be noted so
that people know: you need to set your masterfile-format, that is:
options {
masterfile-format text;
};
Granted, ISC supplies, with the BIND distribution, tools to translate
between the two.
(While you're at it, set "check-names ignore;" for your RPZs because the
bad guys don't play by the rules.)
--
Fred Morris
More information about the DNSfirewalls
mailing list