rpz fail
Tony Finch
dot at dotat.at
Tue Aug 27 12:53:47 UTC 2019
Lee <ler762 at gmail.com> wrote:
>
> Can someone please explain why using this as my rpz zone does NOT
> block everything for *.2o7.net?
>
> 2o7.net CNAME .
> *.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME .
I suspect this is RPZ obeying the weird semantics of DNS wildcard
matching. The * only matches if the answer would otherwise be NXDOMAIN
(the name does not exist). The weirdness happens when there are subdomains
that exist, because any parent names are NODATA (the name exists but has
no records of the query type) which suppresses wildcard matching.
So the third CNAME causes com.102.112.2o7.net and 102.112.2o7.net and
112.2o7.net to exist, so any names under those domains do not match the
wildcard. In your example appleglobal.112.2o7.net is under 112.2o7.net so
it doesn't match.
For the long explanation see
https://tools.ietf.org/html/rfc4592 - The Role of Wildcards in the Domain Name System
https://tools.ietf.org/html/rfc8020 - NXDOMAIN: There Really Is Nothing Underneath
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Irish Sea: South veering west 3 to 5, increasing 6 for a time. Slight,
occasionally moderate. Rain. Good, occasionally poor.
More information about the bind-users
mailing list