[RPZ] Answering my own RPZ question
owens at nysernet.org
Thu Jan 5 13:49:27 UTC 2012
On Tue, Jan 03, 2012 at 10:27:29AM -0500, Bill Owens wrote:
>So my question is, speaking purely from a technical standpoint, whether that's the intended behavior of RPZ, or a bug, or a not-yet-implemented feature, or my misconfiguration.
A more sustained Googling effort has allowed me to locate what seems to be the current version of the RPZ spec, Format 3:
And unlike the earlier versions it includes a reference to this situation:
3 - Subscriber Behavior
RPZs must be primary or secondary zones. They can only be searched in a
recursive server's own storage. By default, policies are applied only on
DNS requests that ask for recursion (RD=1) and which either do not
request DNSSEC metadata (DO=0) or for which no DNSSEC metadata exists.
So, there we have it. I have nowhere near enough coding ability to tell which version of the spec is implemented in current BIND, though a few minutes of staring at the stuff in lib/dns doesn't seem to turn up any references to RPZ and DNSSEC near each other. The only info I could find regarding implementation was that Format 2 was in BIND 9.8.0 beta, and that was 18 months ago. I do see that the NXDOMAIN redirection feature has a test set that includes verifying its behavior in the presence of signed domains and DO=1 queries, and RPZ doesn't seem to.
Anyway, sorry for bothering the list - I'll keep on the lookout to see when Format 3 is implemented, and re-do my tests then (or perhaps just do 'make test')
More information about the DNSfirewalls