[RPZ] When bailiwicks collide: a use case and an observation, and a question (of course)

Fred Morris m3047 at m3047.net
Thu Jun 21 08:16:09 UTC 2012

USE CASE: I subscribe to an RPZ feed, but I want my own RPZ which potentially 
overrides what appears in the subscribed feed.

In the most specific case, both of these zones define policies for the same 
name. So: how do I set it up so that one RPZ always has precedence?

The documentation would seem to imply that the order in which RPZs are defined 
defines precedence. Given:

  response-policy { zone "rpz2.m3047.net"; zone "rpz1.m3047.net"; };

Presuming that something appears in rpz2.m3047.net then whatever appears in 
rpz1.m3047.net is ignored (first hit wins).

Testing (with BIND 9.8.1) informs that this is not the case: it appears that 
the ordering doesn't matter, but that what does matter is the (alphabetical) 
collation order. I.E., regardless of the order declared, rpz1 wins in the 
above example.

In my actual test, rpz1 is a slave (subscribed) zone, and rpz2 is a (local) 
master zone. rpz1 always wins. When I changed from rpz2 to rpz0, all of a 
sudden rpz0 always wins over rpz1.

I haven't cracked the code open, and that's hardly an exhaustive test suite; 
but it is sufficient to disprove the notion that ordering matters.

My question is: what is the roadmap for this "feature": Is ordering supposed 
to matter, or will collation order continue to matter (if it truly does)?



Fred Morris

More information about the DNSfirewalls mailing list