Fwd: Need feedback on RPZ service setup

Tony Finch dot at dotat.at
Thu Jan 5 15:54:40 UTC 2017 

Lars Kulseng <larskulseng at gmail.com> wrote:
>
> I wasn't aware that the ACL-clause could include TSIG-keys as well as
> IP-addresses. So far I've been using the masters-clause to make the actual
> list of servers and keys, but also using the server-clause. Perhaps the
> server-clause is unnecessary, and I can simply refer to a defined key and
> an IP-address in a masters-clause and use this as the ACL?

In my setup, I don't have any awkward network topology that requires me to
configure source addresses, and I don't need any of the weird protocol
tweaks that server{} clauses can specify. So the only thing that I can
usefully put in a server{} clause is a TSIG key name.

I reckon that it's slightly neater to just list the TSIG key next to the
server address in the masters{} clause. This choice means my config tends
to repeat key names more and repeat IP addresses less.

There's still some repetition though, because ACLs are completely separate
from masters{} lists - you can't refer to a masters{} list in an ACL :-/
(This limitation is to do with an ACL entry being an address OR a key,
whereas a masters entry is an address AND a key.)

The repetition tends to occur where we have bidirectional secondarying, so
there's a masters clause for zones we secondary and an allow-transfer
clause for zones they secondary. There can also be repetition between
allow-transfer and also-nofify lists. But it can be minimized by using
TSIG instead of addresses in ACLs.

> Something I was considering, was to place an also-notify option in the zone
> on S1 and S2, where I would refer to a masters-clause "rpz-endpoints". This
> list also refers the TSIG-key for the external transfers. I would also put
> a "notify explicit" option. This way, I don't have to rely on NS-entries in
> the zone.

Yes that would make a lot more sense.

OK, to make this a bit more specific (because I feel I was waving my hands
too much above) I'd do something like the following

	# on the master

	acl internal {
		key tsig-xfer;
		# include other privileged clients here
	};
	zone myrpz {
		type master;
		file "myrpz";
		update-policy local;
		allow-query { internal; };
		allow-transfer { internal; };
	};

	# on the secondaries

	masters master {
		192.0.2.4 key tsig-xfer;
	};
	masters notify-consumers {
		111.222.333.444 key consumer-1;
		555.666.777.888 key consumer-2;
		# usw et cetera ad nauseam
	};
	acl consumers {
		key consumer-1;
		key consumer-2;
		# usw et cetera ad nauseam
	};
	zone myrpz {
		type slave;
		file "myrpz";
		masters { master; };
		also-notify { notify-consumers; };
		allow-query { internal; consumers; };
		allow-transfer { internal; consumers; };
	};
Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Wight, Portland: Variable, becoming south, 3 or 4, occasionally 5 later.
Smooth or slight. Fair. Good.

More information about the bind-users mailing list