[DNSfirewalls] RPZ Trigger on answer section
Davey Song
songlinjian at gmail.com
Mon Dec 25 02:07:06 UTC 2017
On 24 December 2017 at 02:12, Paul Vixie <paul at redbarn.org> wrote:
>
>
> RPZ is not able to act on two or more attributes of a response, only one.
> None of the relevant attributes will be the QTYPE of the query or any of
> the RRTYPEs of the answer. so, as it is today, RPZ cannot help you with
> your problem.
>
Yes, I see that.
you are correct that there is no trigger in RPZ that does what you need.
> moreover, there may not be anything in DNS that does what you need. the
> CNAME returned in the CDN IP4 case will be cached, and your authority
> server will not receive subsequent queries about any RRset for that alias
> (CNAME owner). so, even if you use dnsdist, or hand-write your own DNS
> server, it's not clear that you could ever win.
I think even if A records is cached (from cname server), the AAAA query
will still sent to the authority server. No AAAA in the cache.
Davey.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20171225/23076a9f/attachment.html>
More information about the DNSfirewalls
mailing list