[DNSfirewalls] NSDNAME inconsistency

Vincent Stoffer vstoffer at lbl.gov
Wed Jul 17 21:59:43 UTC 2013


Hello,

I have found what may amount to just a documentation inconsistency
regarding the NSDNAME policy trigger.  Upon testing some recent additions
to our RPZ, I realized that the NS entries that I added were not taking
effect.  Subsequent testing showed NSIP triggers for the NSs were rewriting
correctly.  By switching the syntax as noted below, the NS entries started
working.

I had been going from the documentation at:
http://ss.vix.su/~vjs/rpz-arm.html

Which says the following:
NSDNAME triggers match names of authoritative servers for the query name, a
parent of the query name, a CNAME for query name, or a parent of a CNAME.
They are encoded as subdomains of rpz-nsdomain relativized to the RPZ
origin name. NSIP triggers match IP addresses in A and AAAA RRsets for
domains that can be checked against NSDNAME policy records. NSIP triggers
are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and
NSIP triggers are checked only for names with at least min-ns-dots dots.
The default value of min-ns-dots is 1 to exclude top level domains.

So I had been encoding NS entries as:
ns1.example.com.rpz-nsdomain.rpz.foo.bar
but it appears that the only correct syntax is:
ns1.example.com.rpz-nsdname.rpz.foo.bar

Are they both supposed to work or is rpz-nsdomain an oversight in the
documentation?  Can someone clear this up for me?  I thought I had tested
these triggers as working before (with rpz-nsdomain), so possibly something
changed between versions?  Our bind version is BIND 9.8.5-rpz2+rl.156.01-P1.

Thank you,

Vince

-- 
Vincent Stoffer, Cyber Security Engineer
Cyber Security, Information Technology Division
Lawrence Berkeley National Laboratory
(510) 486-4531
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20130717/390ebd72/attachment.htm>


More information about the DNSfirewalls mailing list