[DNSfirewalls] rpz firewall + whitelisting
Paul Vixie
paul at redbarn.org
Tue Aug 27 16:02:21 UTC 2019
On Tuesday, 27 August 2019 15:46:36 UTC Lee wrote:
> ... instead of me having to do
>
> $ cat db.test-rpz
> $ORIGIN rpz.test.
> @ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )
> IN NS localhost.
> 2o7.net CNAME .
> *.2o7.net CNAME .
> 112.2o7.net CNAME .
> *.112.2o7.net CNAME .
> 102.112.2o7.net CNAME .
> *.102.112.2o7.net CNAME .
> com.102.112.2o7.net CNAME .
> *.com.102.112.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> ; === end ===
>
> Would it be possible for me to do
> 2o7.net CNAME .
> *.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>
> and for you to automagically fill in the intervening space for me:
> 112.2o7.net CNAME .
> *.112.2o7.net CNAME .
> 102.112.2o7.net CNAME .
> *.102.112.2o7.net CNAME .
> com.102.112.2o7.net CNAME .
> *.com.102.112.2o7.net CNAME .
no. that would change the meaning of existing policy zones. this expansion
should be done by the rpz generator or by some preprocessor you'd write in
python or perl or whatever.
--
Paul
More information about the DNSfirewalls
mailing list