[RPZ] When bailiwicks collide: a use case and an observation, and a question (of course)

Vernon Schryver vjs at rhyolite.com
Thu Jun 21 13:43:40 UTC 2012


> From: Fred Morris <m3047 at m3047.net>

> USE CASE: I subscribe to an RPZ feed, but I want my own RPZ which potentially 
> overrides what appears in the subscribed feed.
>
> In the most specific case, both of these zones define policies for the same 
> name. So: how do I set it up so that one RPZ always has precedence?
>
>The documentation would seem to imply that the order in which RPZs are defined 
> defines precedence. Given:

This is the relevant text from version 9.9 of "BIND 9 Administrator
Reference Manual" at
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2588832
(That URI fragment or hash tag will probably change when a new
version of the ARM is installed on ISC's web pages.  Searching for
"RPZ" should always find the RPZ text.)

    The query response is checked against all RPZs, so two or more
    policy records can apply to a single response. Because DNS
    responses can be rewritten according by at most a single policy
    record, a single policy (other than DISABLED policies) must be
    chosen. Policies are chosen in the following order:

        Among applicable zones, use the RPZ that appears first in
            the response-policy option.
        Prefer QNAME to IP to NSDNAME to NSIP policy records in a single RPZ
        Among applicable NSDNAME policy records, prefer the policy
            record that matches the lexically smallest name
	Among IP or NSIP policy records, prefer the record with the
	    longest prefix.
        Among records with the same prefex length, prefer the IP
            or NSIP policy record that matches the smallest IP address.

    When the processing of a response is restarted to resolve DNAME
    or CNAME records and an applicable policy record set has not
    been found, all RPZs are again consulted for the DNAME or CNAME
    names and addresses.

The precedence rules in version 9.8.0 differed.


Vernon Schryver    vjs at rhyolite.com



More information about the DNSfirewalls mailing list