<div dir="ltr">Hello,<div><br></div><div>I have found what may amount to just a documentation inconsistency regarding the NSDNAME policy trigger. Upon testing some recent additions to our RPZ, I realized that the NS entries that I added were not taking effect. Subsequent testing showed NSIP triggers for the NSs were rewriting correctly. By switching the syntax as noted below, the NS entries started working.</div>
<div><br></div><div>I had been going from the documentation at:</div><div><a href="http://ss.vix.su/~vjs/rpz-arm.html">http://ss.vix.su/~vjs/rpz-arm.html</a></div><div><br></div><div>Which says the following:</div><div>NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. They are encoded as subdomains of rpz-nsdomain relativized to the RPZ origin name. NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records. NSIP triggers are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. The default value of min-ns-dots is 1 to exclude top level domains.</div>
<div><br></div><div>So I had been encoding NS entries as:</div><div>ns1.example.com.rpz-nsdomain.rpz.foo.bar</div><div>but it appears that the only correct syntax is:</div><div>ns1.example.com.rpz-nsdname.rpz.foo.bar</div>
<div><br></div><div>Are they both supposed to work or is rpz-nsdomain an oversight in the documentation? Can someone clear this up for me? I thought I had tested these triggers as working before (with rpz-nsdomain), so possibly something changed between versions? Our bind version is BIND 9.8.5-rpz2+rl.156.01-P1.</div>
<div><br></div><div>Thank you,</div><div><br></div><div>Vince</div><div><div><br></div>-- <br><div><span>Vincent Stoffer, Cyber Security Engineer</span></div><span>Cyber Security, Information Technology Division</span><br>
<span>Lawrence Berkeley National Laboratory</span><div><font color="#888888" face="arial, sans-serif">(510) 486-4531</font></div>
</div></div>