RPZ and negative answers
Chris Buxton
clists at buxtonfamily.us
Wed Apr 3 23:50:18 UTC 2013
On Apr 3, 2013, at 4:13 PM, Vernon Schryver wrote:
>> From: Chris Buxton <clists at buxtonfamily.us>
>
>> If a name exists in the response policy, and also exists in the real
>> Internet namespace, the value from the policy is returned. But if it
>> doesn't exist out on the Internet, then the value is not returned --
>> an NXDOMAIN (or SERVFAIL, or whatever) is returned instead.
>>
>> I've known this for a while but haven't understood why it is thus.
>> Today, it has become a problem for me. If I set a policy of "this
>> name gets response X", I expect that policy to be used rather than
>> "this name gets response X unless it doesn't exist out on the
>> Internet or can't be resolved due to an error."
>
> RPZ stands for "response policy zone" and concerns rewriting responses
> instead of queries. The answer section of an NXDOMAIN or SERFVAIL
> response does not contain a domain name that could trigger rewriting.
>
> Rewriting queries instead of responses would fail to rewrite CNAME
> chains.
Thanks for the explanation. It seems to me this is a gap in coverage of RPZ -- the algorithm should be updated, in my opinion, to cover the case of a negative answer.
Chris Buxton
BlueCat Networks
More information about the bind-users
mailing list