RPZ rule to apply to NS record requests?
Tony Finch
dot at dotat.at
Tue Nov 16 11:41:41 UTC 2021
John Thurston <john.thurston at alaska.gov> wrote:
> If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer
> to be sent for a specific record-type for a specific name:
>
> foo.bar.com IN A 10.11.12.13
> foo.bar.com IN TXT "Hello World"
>
> But I can't seen to define one for the record-type NS
>
> Is this possible?
The RPZ documentation doesn't say you can't include NS records as "local
data", but I guess you might trip over BIND's checks for what makes sense
at a zone cut: in a normal zone you can't have A and TXT and NS at the
same name (unless it's the zone apex).
But even if it did work, it's unlikely to do what you want. (You didn't
say why you want NS records so that's a somewhat risky assumption...)
In typical setups, RPZ is deployed on recursive servers, whose clients are
basically all stub resolvers. Stubs don't do anything special with NS
records, and they almost never make NS queries. So normally, using RPZ to
substitue NS records will not have any useful effect.
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Mull of Galloway to Mull of Kintyre including the Firth of Clyde and
North Channel: Southwesterly veering westerly, 5 or 6. Slight or
moderate, occasionally rough near Mull of Kintyre. Rain then showers.
Good, occasionally moderate at first.
More information about the bind-users
mailing list