[RPZ] Which 'options' section does the RPZ config go in?
ixloran at sent.at
ixloran at sent.at
Sat Mar 30 19:44:48 UTC 2013
Hi April
Thanks for the explanation.
On Sat, Mar 30, 2013, at 08:53 AM, April Lorenzen wrote:
> maybe they just keep doing that pulling from a db to generate even a file that
> hasn't changed and isn't getting high frequency updates.
I personally don't *know* that's the case, but it seems to act like that
. The updates to drop.rpz dont actually seem to be changing anything in
terms of content other than the serial numbers.
> The brilliance of nsupdate is that like an incremental transfer, just the
> changed (added or dropped) records get send to the
> master BIND with RPZ ... there's no zone reload, closer-to-zero
> propagation delay and you'd only get an IXFR if there's a change.
Then other than the "why are they updating drop.rpz so much more often
than rpz.?" question, I guess this doesn't matter. Or at least it
doesn't cause any actual problem.
The RPZ tests now work for BOTH drop.rpz and rpz zones, and I'm getting
no errors anymore.
-Izzy
More information about the DNSfirewalls
mailing list