Resolving and caching illegal names
John Thurston
john.thurston at alaska.gov
Wed Jan 25 19:00:36 UTC 2023
I hadn't had enough coffee when I wrote that. I was doing in-addr.arpa
translation in my head and confusing what was the TLD of the query being
submitted. If a customer is stupid enough to ask for an A-record for
10.1.2.3, then the TLD of that name is "3", not "10" . . duh.
So to make the RPZ work, I needed to stuff the zone file with 256 new
entries. I did this by dusting off my knowledge of the GENERATE
directive (which involved RTFM):
$GENERATE 0-255 *.$ CNAME .
I also needed to populate the "validate-except" option with 256 new
entries. I could find no elegant way to generate, abstract, or 'include'
this, so just needed to put the long string of characters inline:
0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; . . .
and it now behaves as desired; returning an unvalidated NXDOMAIN for
queries for ip addresses.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
On 1/25/2023 8:36 AM, John Thurston wrote:
>
> Off-list, it was suggested to me that I _could_ handle this in my RPZ,
> by enumerating all 255 illegal TLDs (e.g. *.10 CNAME . )
>
> I tried this, and it works as expected when dnssec validation is
> disabled (either globally, or with "validate-except". My idea right
> now is I can enumerate TLD of the numerics I see in my logs, and
> ignore the rest. I think this will get me what I want, at a level of
> complexity I can accept.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230125/50aba96b/attachment-0001.htm>
More information about the bind-users
mailing list