Internal CNAME in RPZ

Andrey Geyn andgein at yandex-team.ru
Thu Oct 24 15:03:54 UTC 2019 

Thank you, Bob.

Unfortunately, records are generated by my users, not by me, so I can't change them as I want. 

Thanks again for your time and detailed explanation.

Andrey.

24.10.2019, 19:53, "Bob Harold" <rharolde at umich.edu>:
> On Thu, Oct 24, 2019 at 9:20 AM Andrey Geyn <andgein at yandex-team.ru> wrote:
>> Hi, Bob, thank you for response!
>>
>> What if I want to make following configuration (as an example):
>>
>> domain.com    A    10.10.10.10
>> *.domain.com  CNAME    domain.com
>>
>> I don't want to write 10.10.10.10 twice, I want to use magic of CNAME's here.
>
> Sorry, that is not how RPZ was designed to work.
> You can make the second one:
>       *.domain.com  CNAME    my10.realdomain.com.
> Where there is a real domain (not the RPZ domain) with:
>        my10.realdomain.com. A  10.10.10.10
>
> Or make them both "A" records.  Or both CNAME.  But one RPZ entry cannot point to another.
> Use scripts to automate the process, if you don't want to enter 10.10.10.10 twice.
>
> p.s.  The decision not to re-lookup the results of RPZ lookups is probably for speed and to avoid loops.  Trying to patch around that is not a good idea.
>
> --
> Bob Harold
>
>>> Do you want cname.domain.com to point to 10.10.10.10?  Then use an A record to 10.10.10.10.
>> This sentence sounds like «CNAME are useless at all» :-). Do you want some domain to point to some address? The use an A record, not CNAME!
>>
>> Additionally, I already use patched version of BIND. Maybe it is possible to make some patch for allowing this behaivor?
>>
>> Andrey
>>
>> 24.10.2019, 18:06, "Bob Harold" <rharolde at umich.edu>:
>>> On Wed, Oct 23, 2019 at 10:34 AM Andrey Geyn <andgein at yandex-team.ru> wrote:
>>>> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>>>>
>>>> 1.
>>>> cname.domain.com        CNAME   test.domain.com    (without trailing dot)
>>>> test.domain.com         A       10.10.10.10
>>>
>>> There is a misunderstanding here.  You would never redirect a domain in RPZ to another domain in RPZ.
>>> Domains in RPZ must always be redirected to a real domain.  You cannot point it to the wrong place, and then expect it to be redirected again.  It does not work that way.
>>> Those two RPZ entries are completely separate.
>>> Do you want cname.domain.com to point to 10.10.10.10?  Then use an A record to 10.10.10.10.
>>> Do you want cname.domain.com to point to some real domain name (probably a name you control, like a walled garden, or error page)?  Then CNAME to that real name.
>>>
>>> --
>>> Bob Harold
>>>
>>>> In this case I receive
>>>>
>>>> # dig cname.domain.com @127.0.0.1
>>>> ...
>>>> cname.domain.com.       5       IN      CNAME   test.domain.com.rpz.
>>>> test.domain.com.rpz.    3600    IN      A       10.10.10.10
>>>> ...
>>>>
>>>> So, it looks good, but RPZ name is visible, which is unwanted for me.
>>>>
>>>> 2.
>>>> cname.domain.com        CNAME   test.domain.com.      (with trailing dot)
>>>> test.domain.com         A       10.10.10.10
>>>>
>>>> In this case I receive
>>>>
>>>> # dig cname.domain.com @127.0.0.1
>>>> cname.domain.com.       5       IN      CNAME   test.domain.com.
>>>> test.domain.com.        531     IN      A       66.96.162.92
>>>>
>>>> (66.98.162.92 is real, «internet» address of test.domain.com)
>>>>
>>>> Is it possible to make configuration for internal CNAME's in RPZ in which RPZ name will be not visible to user?
>>>>
>>>> Best regards,
>>>> Andrey Geyn
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list