[RPZ] Answering my own RPZ question

Vernon Schryver vjs at rhyolite.com
Thu Jan 5 16:14:11 UTC 2012

> From: Bill Owens <owens at nysernet.org>

> https://deepthought.isc.org/article/AA-00512/
> And unlike the earlier versions it includes a reference to this situation:
>  3 - Subscriber Behavior
>    RPZs must be primary or secondary zones. They can only be searched in a
>    recursive server's own storage. By default, policies are applied only on
>    DNS requests that ask for recursion (RD=1) and which either do not
>    request DNSSEC metadata (DO=0) or for which no DNSSEC metadata exists.

Thanks.   Either that document or the code needs to be changed.

> So, there we have it. I have nowhere near enough coding ability to
> tell which version of the spec is implemented in current BIND, though
> a few minutes of staring at the stuff in lib/dns doesn't seem to turn
> up any references to RPZ and DNSSEC near each other. ...

All versions of RPZ in BIND have one or more statements like this:

	     * Turn off DNSSEC because the results of a
	     * response policy zone cannot verify.
	    client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;

That statement makes BIND act as if the client had not asked for
DNSSEC.  I think we need to change the document to match the code
instead of the opposite so that domain name cannot decide whether
their data is rewritten.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list