Servfail queries for named remote authoritative nameservers?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Jun 12 08:19:02 UTC 2019
On Sat, Jun 08, 2019 at 02:55:47PM -0700, Paul Vixie wrote:
> >> I don't think so. I am trying to avoid two namesevers that serve
> >> thousands of unwanted domains. I don't have a list of said domains,
> >> but I do know the names of the two nameservers to avoid. I don't
> >> know how RPZ would help, unless RPZ can do what local-data seems
> >> unable to do, and inject IPs that trump the glue (or authoritative)
> >> A records for the nameservers of the unwanted domains.
>
> if you're trying to poison the addresses of nameservers used by
> downstream recursives (so, you're a forwarder) this is not RPZ's strength.
No, that's not the goal.
> if you're trying to avoid using name servers in your own recursive,
> because you hate everything they host or ever will host, then RPZ can do
> exactly what you want, using a .rpz-nsip or .rpz-nsdname trigger.
By nameserver name is what I'm after, but AFAIK my unbound 1.9.1 has
no RPZ support, so I guess I'll just to go with "do-not-query-address"
for now.
--
Viktor.
More information about the Unbound-users
mailing list