[DNSfirewalls] NSDNAME inconsistency

Vincent Stoffer vstoffer at lbl.gov
Wed Jul 17 21:59:43 UTC 2013


I have found what may amount to just a documentation inconsistency
regarding the NSDNAME policy trigger.  Upon testing some recent additions
to our RPZ, I realized that the NS entries that I added were not taking
effect.  Subsequent testing showed NSIP triggers for the NSs were rewriting
correctly.  By switching the syntax as noted below, the NS entries started

I had been going from the documentation at:

Which says the following:
NSDNAME triggers match names of authoritative servers for the query name, a
parent of the query name, a CNAME for query name, or a parent of a CNAME.
They are encoded as subdomains of rpz-nsdomain relativized to the RPZ
origin name. NSIP triggers match IP addresses in A and AAAA RRsets for
domains that can be checked against NSDNAME policy records. NSIP triggers
are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and
NSIP triggers are checked only for names with at least min-ns-dots dots.
The default value of min-ns-dots is 1 to exclude top level domains.

So I had been encoding NS entries as:
but it appears that the only correct syntax is:

Are they both supposed to work or is rpz-nsdomain an oversight in the
documentation?  Can someone clear this up for me?  I thought I had tested
these triggers as working before (with rpz-nsdomain), so possibly something
changed between versions?  Our bind version is BIND 9.8.5-rpz2+rl.156.01-P1.

Thank you,


Vincent Stoffer, Cyber Security Engineer
Cyber Security, Information Technology Division
Lawrence Berkeley National Laboratory
(510) 486-4531
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20130717/390ebd72/attachment.htm>

More information about the DNSfirewalls mailing list