RPZ - override TXT records
Mukund Sivaraman
muks at isc.org
Mon Oct 12 08:59:21 UTC 2015
Hi Wolfgang
On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote:
> Hi Folks,
>
> I am currently struggling with using RPZ for inserting or overriding TXT
> resource records.
>
> This is my goal:
>
> ; do not rewrite www.cisco.com (so, PASSTHRU) and add or override
> missing metadata
> www.cisco.com CNAME rpz-passthru.
> www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
>
> What work's is that I can do one or the other but not both at the same time
> if I need to use a CNAME.
>
> This works:
>
> wolfgang.dns-as.org A 193.34.28.108
> wolfgang.dns-as.org TXT "CISCO-CLS=app-name:RPZ|app-class:TD"
>
> but in reality this will not work for CDN or load-balanced sites which don't
> have fixed IP address.
>
> Any hint's what I am doing wrong?
You aren't doing anything wrong. Yours is a corner case.
I hope I understood what you're trying to do correctly: From the zone
comment, perhaps you want the TXT query type to return the TXT RDATA
you've supplied and everything else passthru to regular processing. It
can't be done as triggers don't use the question's TYPE field.
An alternative is to include all the RRs for that QNAME in the answer
(your second example). Yours is a weird case, because you can't use the
following in the policy zone which named wouldn't allow loading (it
won't allow CNAME to coexist):
www.cisco.com CNAME www.cisco.com.akadns.net.
www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
So using the A record (your second example) or adding triggers for the
target of the CNAME record chain are your best bet. As the latter
varies, perhaps the former for your region would be best.
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20151012/d534c33d/attachment.bin>
More information about the bind-users
mailing list