in-view RPZ definitions
Evan Hunt
each at isc.org
Sat Nov 11 16:31:45 UTC 2023
On Fri, Nov 10, 2023 at 05:24:59PM -0500, Lannar Dean via bind-users wrote:
> This is a continuation of a very old thread from this mailing list found
> here:
> https://groups.google.com/g/comp.protocols.dns.bind/c/nAHtXSDcDl4?pli=1
>
> It appears that what I'm attempting to do did not work at the time of this
> thread 8 years ago, but I'm wondering if anything has changed by now.
Many things have, but not this particular thing yet.
To explain the problem, each view has an "RPZ summary database" which is
an index of all the rules in the response-policy zones configured for that
view. It makes it possible to determine quickly which policy zone or zones
have matching rules for a query; that way we don't have to waste time
trying the query against *all* of the policy zones.
The summary database is populated by the policy zone when it's loaded.
In your example, zone cf1 was in view1, so it sent its summary information
to view1. It doesn't know that it's also in view2.
I've been thinking for a while about the best way to address this, and
there might be some news coming in the not-too-distant future, but I don't
have a good solution for you right now, sorry.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list