rpz question

Jan Komissar (jkomissa) jkomissa at cisco.com
Fri Aug 7 13:17:09 UTC 2020

Hi Andreas,

I think you need to add
	*.com.allow-rpz.example.	CNAME .
	*.de.allow-rpz.example.	CNAME rpz-passthru.
to the rpz.


On 8/6/20, 6:27 PM, "Unbound-users on behalf of A. Schulze via Unbound-users" <unbound-users-bounces at lists.nlnetlabs.nl on behalf of unbound-users at lists.nlnetlabs.nl> wrote:


    I thought I could build a resolver allow only a limited set of domains to resolve.
    That set of allowed domains should come from an rpz.

    		module-config: "respip validator iterator"

    		name: "allow-rpz.example."
    		zonefile: "/tmp/allow-rpz.example"

    	allow-rpz.example.	SOA localhost. rpz.localhost. 1 43200 7200 2419200 3600
    	allow-rpz.example.	NS localhost.
    	*.allow-rpz.example.	CNAME .
    	com.allow-rpz.example.	CNAME .
    	de.allow-rpz.example.	CNAME rpz-passthru.

    	QNAME=com will be answered with NXDOMAIN
    	QNAME=de will be answered with real data
    	QNAME=net/org/anything will be answered with NXDOMAIN

    	QNAME=com is answered with NXDOMAIN
    	QNAME=de is answered with real data
    	QNAME=net/org/anything is answered with real data

    reading https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00#section-4.2
    let me believe, *.allow-rpz.example. would match any subdomain of "."
    looks like unbound/RPZ don't think so.

    Is this a bug, a feature or simply not possible (why?) with unbound's RPZ implementation?
    Are there other ways to build such a system?


More information about the Unbound-users mailing list