RPZ Still Doing Recursive Lookups
Evan Hunt
each at isc.org
Tue Feb 24 23:55:31 UTC 2015
On Tue, Feb 24, 2015 at 03:30:01PM -0800, Crist Clark wrote:
> I am seeing that even with a zone included in an RPZ, the BIND server is
> still going out to the Internet to resolve the name. I was hoping the RPZ
> entry would stop processing short of that.
That's so named doesn't leak policy information by changing its upstream
behavior. To an authoritative server, named seems to do the same thing
whether it's running RPZ or not.
In BIND 9.10, the "qname-wait-recurse" option was added to override this
behavior.
> BIND 9.9.2.
BIND 9.9.2 is extremely outdated. 9.9.7 will be published this week.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list