[RPZ] When bailiwicks collide: a use case and an observation, and a question (of course)
Fred Morris
m3047 at m3047.net
Thu Jun 21 08:16:09 UTC 2012
USE CASE: I subscribe to an RPZ feed, but I want my own RPZ which potentially
overrides what appears in the subscribed feed.
In the most specific case, both of these zones define policies for the same
name. So: how do I set it up so that one RPZ always has precedence?
The documentation would seem to imply that the order in which RPZs are defined
defines precedence. Given:
response-policy { zone "rpz2.m3047.net"; zone "rpz1.m3047.net"; };
Presuming that something appears in rpz2.m3047.net then whatever appears in
rpz1.m3047.net is ignored (first hit wins).
Testing (with BIND 9.8.1) informs that this is not the case: it appears that
the ordering doesn't matter, but that what does matter is the (alphabetical)
collation order. I.E., regardless of the order declared, rpz1 wins in the
above example.
In my actual test, rpz1 is a slave (subscribed) zone, and rpz2 is a (local)
master zone. rpz1 always wins. When I changed from rpz2 to rpz0, all of a
sudden rpz0 always wins over rpz1.
I haven't cracked the code open, and that's hardly an exhaustive test suite;
but it is sufficient to disprove the notion that ordering matters.
My question is: what is the roadmap for this "feature": Is ordering supposed
to matter, or will collation order continue to matter (if it truly does)?
Thanks...
--
Fred Morris
More information about the DNSfirewalls
mailing list