[RPZ] Unexpected RPZ behavior

Bill Owens owens at nysernet.org
Mon Mar 5 16:25:00 UTC 2012

I'm not sure what's happening here - perhaps it is correct, but I don't think so. Test setup is BIND 9.9.0 running on Linux PPC, with a very simple RPZ zone containing 

www.isc.org	IN	CNAME	.

As expected, if I query for www.isc.org without DO=1, RPZ intercepts it; if I query with DO=1, I get the correct A record.

However, if I ask for an RRTYPE that doesn't exist at www.isc.org, BIND returns this:

[littledebian:~] owens% dig +dnssec www.isc.org txt

; <<>> DiG 9.9.0 <<>> +dnssec www.isc.org txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61978
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 512
;www.isc.org.			IN	TXT

rpz.zone.		60	IN	SOA	rpz.zone. rpz.zone. 2012010201 3600 300 86400 60

;; Query time: 1 msec
;; WHEN: Mon Mar  5 11:19:43 2012
;; MSG SIZE  rcvd: 84

Same for other RRTYPEs. I think that if I were running a validating forwarder behind that resolver, it would be unhappy with that answer (no authenticated denial of existence). I'm also not sure what it would do to the cache, whether the NXDOMAIN for the TXT would affect future queries for an A record.


More information about the DNSfirewalls mailing list