Servfail queries for named remote authoritative nameservers?
Paul Vixie
paul at redbarn.org
Sat Jun 8 21:55:47 UTC 2019
Fredrik Pettai via Unbound-users wrote on 2019-06-08 14:48:
>
> On 19/06/08 09:47, Viktor Dukhovni via Unbound-users wrote:
...
>> I don't think so. I am trying to avoid two namesevers that serve
>> thousands of unwanted domains. I don't have a list of said domains,
>> but I do know the names of the two nameservers to avoid. I don't
>> know how RPZ would help, unless RPZ can do what local-data seems
>> unable to do, and inject IPs that trump the glue (or authoritative)
>> A records for the nameservers of the unwanted domains.
if you're trying to poison the addresses of nameservers used by
downstream recursives (so, you're a forwarder) this is not RPZ's strength.
if you're trying to avoid using name servers in your own recursive,
because you hate everything they host or ever will host, then RPZ can do
exactly what you want, using a .rpz-nsip or .rpz-nsdname trigger.
> Perhaps not exactly your imagined methodology, but very similar:
>
> https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.4
>
> https://tools.ietf.org/html/draft-vixie-dnsop-dns-rpz-00#section-4.5
yes.
--
P Vixie
More information about the Unbound-users
mailing list