[DNSfirewalls] NSDNAME inconsistency
vstoffer at lbl.gov
Wed Jul 17 21:59:43 UTC 2013
I have found what may amount to just a documentation inconsistency
regarding the NSDNAME policy trigger. Upon testing some recent additions
to our RPZ, I realized that the NS entries that I added were not taking
effect. Subsequent testing showed NSIP triggers for the NSs were rewriting
correctly. By switching the syntax as noted below, the NS entries started
I had been going from the documentation at:
Which says the following:
NSDNAME triggers match names of authoritative servers for the query name, a
parent of the query name, a CNAME for query name, or a parent of a CNAME.
They are encoded as subdomains of rpz-nsdomain relativized to the RPZ
origin name. NSIP triggers match IP addresses in A and AAAA RRsets for
domains that can be checked against NSDNAME policy records. NSIP triggers
are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and
NSIP triggers are checked only for names with at least min-ns-dots dots.
The default value of min-ns-dots is 1 to exclude top level domains.
So I had been encoding NS entries as:
but it appears that the only correct syntax is:
Are they both supposed to work or is rpz-nsdomain an oversight in the
documentation? Can someone clear this up for me? I thought I had tested
these triggers as working before (with rpz-nsdomain), so possibly something
changed between versions? Our bind version is BIND 9.8.5-rpz2+rl.156.01-P1.
Vincent Stoffer, Cyber Security Engineer
Cyber Security, Information Technology Division
Lawrence Berkeley National Laboratory
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the DNSfirewalls