[DNSfirewalls] NSDNAME inconsistency
Vincent Stoffer
vstoffer at lbl.gov
Wed Jul 17 21:59:43 UTC 2013
Hello,
I have found what may amount to just a documentation inconsistency
regarding the NSDNAME policy trigger. Upon testing some recent additions
to our RPZ, I realized that the NS entries that I added were not taking
effect. Subsequent testing showed NSIP triggers for the NSs were rewriting
correctly. By switching the syntax as noted below, the NS entries started
working.
I had been going from the documentation at:
http://ss.vix.su/~vjs/rpz-arm.html
Which says the following:
NSDNAME triggers match names of authoritative servers for the query name, a
parent of the query name, a CNAME for query name, or a parent of a CNAME.
They are encoded as subdomains of rpz-nsdomain relativized to the RPZ
origin name. NSIP triggers match IP addresses in A and AAAA RRsets for
domains that can be checked against NSDNAME policy records. NSIP triggers
are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and
NSIP triggers are checked only for names with at least min-ns-dots dots.
The default value of min-ns-dots is 1 to exclude top level domains.
So I had been encoding NS entries as:
ns1.example.com.rpz-nsdomain.rpz.foo.bar
but it appears that the only correct syntax is:
ns1.example.com.rpz-nsdname.rpz.foo.bar
Are they both supposed to work or is rpz-nsdomain an oversight in the
documentation? Can someone clear this up for me? I thought I had tested
these triggers as working before (with rpz-nsdomain), so possibly something
changed between versions? Our bind version is BIND 9.8.5-rpz2+rl.156.01-P1.
Thank you,
Vince
--
Vincent Stoffer, Cyber Security Engineer
Cyber Security, Information Technology Division
Lawrence Berkeley National Laboratory
(510) 486-4531
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20130717/390ebd72/attachment.htm>
More information about the DNSfirewalls
mailing list