[RPZ] When bailiwicks collide: a use case and an observation, and a question (of course)
Vernon Schryver
vjs at rhyolite.com
Thu Jun 21 13:43:40 UTC 2012
> From: Fred Morris <m3047 at m3047.net>
> USE CASE: I subscribe to an RPZ feed, but I want my own RPZ which potentially
> overrides what appears in the subscribed feed.
>
> In the most specific case, both of these zones define policies for the same
> name. So: how do I set it up so that one RPZ always has precedence?
>
>The documentation would seem to imply that the order in which RPZs are defined
> defines precedence. Given:
This is the relevant text from version 9.9 of "BIND 9 Administrator
Reference Manual" at
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2588832
(That URI fragment or hash tag will probably change when a new
version of the ARM is installed on ISC's web pages. Searching for
"RPZ" should always find the RPZ text.)
The query response is checked against all RPZs, so two or more
policy records can apply to a single response. Because DNS
responses can be rewritten according by at most a single policy
record, a single policy (other than DISABLED policies) must be
chosen. Policies are chosen in the following order:
Among applicable zones, use the RPZ that appears first in
the response-policy option.
Prefer QNAME to IP to NSDNAME to NSIP policy records in a single RPZ
Among applicable NSDNAME policy records, prefer the policy
record that matches the lexically smallest name
Among IP or NSIP policy records, prefer the record with the
longest prefix.
Among records with the same prefex length, prefer the IP
or NSIP policy record that matches the smallest IP address.
When the processing of a response is restarted to resolve DNAME
or CNAME records and an applicable policy record set has not
been found, all RPZs are again consulted for the DNAME or CNAME
names and addresses.
The precedence rules in version 9.8.0 differed.
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls
mailing list