Need feedback on RPZ service setup
Tony Finch
dot at dotat.at
Thu Jan 5 13:24:53 UTC 2017
Lars Kulseng <larskulseng at gmail.com> wrote:
> I am setting up BIND to be used as a way to disseminate RPZ-zones for use
> by third parties. I would like some feedback on my setup.
Overall it sounds very sensible to me. A few notes...
> Access control is done by using TSIG-keys, with separate keys for: updates,
> M1->S{1,2} transfers, and lastly there will be separate keys for each
> Consumer of the RPZ-zone. The number of keys will then be 1 + 1 +
> num_consumers. Each Consumer endpoint, where a transfer will take place,
> will have to be defined by the server-clause in BIND, using the
> keys-option, specifying an existing key.
Instead of using server clauses, I would suggest having a big ACL listing
all your consumer TSIG keys. You can then use this ACL in your RPZ
allow-query and allow-transfer clauses. You should also include your
internal zone transfer TSIGs and your management / monitoring clients in
this ACL too! :-)
> Consumers will treat S1 and S2 as masters for the RPZ-zone, and can
> allow-notify from S1 and S2 if they want instant updates.
BIND will only send NOTIFY to a zone's advertised name servers - "stealth
slaves" like your consumers have to rely on the SOA refresh timer.
I have some rather horrible code which attempts to help stealth slaves get
updates faster, by grepping the logs for zone transfers, and fanning out
notify messages to all the xfer clients. But on balance it's probably more
sensible to just reduce the refresh timer to a small number :-)
http://www.dotat.at/prog/nsnotifyd/
> The RPZ-zone itself will never be queried, nor does it need resolving.
> Since the name of the RPZ-zone is not important, and should in fact be
> innocuous-sounding, the zone will be called something like
> "_rainbow.orgname". This will ensure that there won't be any collisions
> with other zones, and will not reveal that this is an RPZ-/blocking zone.
In general it's better to use a subdomain of a properly registered domain,
rather than making up a TLD that you hope will not collide. Or maybe I
misunderstood what you meant by ".orgname"?
There's not much need to be fussy about your zone names. For example, the
Spamhaus DBL in RPZ format is called dbl.rpz.spamhaus.org.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
South Utsire, Forties: Southerly 3 or 4, increasing 5 to 7, perhaps gale 8
later. Moderate, becoming rough at times later. Showers, rain later. Good,
occasionally poor later.
More information about the bind-users
mailing list