[RPZ] Which 'options' section does the RPZ config go in?

ixloran at sent.at ixloran at sent.at
Fri Mar 29 21:41:48 UTC 2013


> good luck and please tell us all how it works out once you've made it
> operational and seen some results.

Once you figure out that you need to PATCH the source it's pretty easy
to get set up. :-)

I really appreciate the Spamhaus folks letting us get up to speed with
their beta zones.  The system's up and running now.  From what I can
tell, testing for responses, it's working like it should.  Even though
I'll always stick with a build-it-yourself approach, I hope the distros
get around to including it someday in their BIND pacakages.

I'm always gonna be small, and hope that there's gonna always be a "free
for small users" option.  The prices I've seen with some of the other
zone providers are out of my league.

> > 	zone "drop.rpz.spamhaus.org" IN {
> > 		type slave; file
> > 		"/dns/slave/drop.rpz.spamhaus.org.zone";
> > 		masters { spamhaus; }; allow-transfer { spamhaus; };
> > 		request-ixfr yes; ixfr-from-differences yes;
> > 		notify no;
> > 	};

> note that ixfr-from-differences and allow-transfer pertain to your
> treatment of requestors who IXFR the zone from you, and will have no
> effect on how you transfer the zone from others.

OK on the ixfr-from-differences.

>From what I understand the zone provider you're using PUSHES the updates
as master to your slave.  I thought the "allow-transfer" is what's
needed to allow/enable that push.  No?

> as cricket said, the rpz configuration elements belong in your recursive view.

OK.  If I were to ever turn on recursive for BOTH internal & external
views, would the config go best in EACH recursive view at that point? 
Or can I put it in the global options stanza?


More information about the DNSfirewalls mailing list