Jan Komissar (jkomissa)
jkomissa at cisco.com
Fri Aug 7 13:17:09 UTC 2020
I think you need to add
*.com.allow-rpz.example. CNAME .
*.de.allow-rpz.example. CNAME rpz-passthru.
to the rpz.
On 8/6/20, 6:27 PM, "Unbound-users on behalf of A. Schulze via Unbound-users" <unbound-users-bounces at lists.nlnetlabs.nl on behalf of unbound-users at lists.nlnetlabs.nl> wrote:
I thought I could build a resolver allow only a limited set of domains to resolve.
That set of allowed domains should come from an rpz.
module-config: "respip validator iterator"
allow-rpz.example. SOA localhost. rpz.localhost. 1 43200 7200 2419200 3600
allow-rpz.example. NS localhost.
*.allow-rpz.example. CNAME .
com.allow-rpz.example. CNAME .
de.allow-rpz.example. CNAME rpz-passthru.
QNAME=com will be answered with NXDOMAIN
QNAME=de will be answered with real data
QNAME=net/org/anything will be answered with NXDOMAIN
QNAME=com is answered with NXDOMAIN
QNAME=de is answered with real data
QNAME=net/org/anything is answered with real data
let me believe, *.allow-rpz.example. would match any subdomain of "."
looks like unbound/RPZ don't think so.
Is this a bug, a feature or simply not possible (why?) with unbound's RPZ implementation?
Are there other ways to build such a system?
More information about the Unbound-users