RPZ and Views Interaction

[Otto Retter]

Hi Yorgos,

Actually, I did get similar behavior again and was hoping to get
further clarification. It's very likely just a misunderstanding on
my behalf of how tags and views work!

When I define tags exactly like so (note: no test-client tag this
time):
'''
define-tag: "all-subnet-clients"
access-control-tag: 10.0.0.0/24 "all-subnet-clients"
'''

and then have views defined like so:
'''
access-control-view: 10.0.0.1/32 test-client

view:
     name: "test-client"
     view-first: yes
     local-zone: "test.internal" static
     local-data: "test.internal A 10.0.0.1"
'''

I do get back "10.0.0.1" when querying "test.internal" from 10.0.0.1,
as expected. However, when RPZ is defined as:
'''
rpz:
      name: "rpz.test.zone"
      zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
      rpz-action-override: nxdomain
      rpz-log: yes
      rpz-log-name: "rpz.test"
      tags: "all-subnet-clients"
'''

and containing a line like "*.test.com CNAME ." in rpz.test.zone, I
was expecting a query for "hello.test.com" from 10.0.0.1 to get the
"all-subnet-clients" tag and return NXDOMAIN, but instead it seems
to bypass tagged RPZ and recurse. Is that intended behavior? Please
note that I do see _untagged_ (global) RPZ zones being successfully
applied to queries coming from 10.0.0.1.

If I explicitly define a "test-client" tag (in addition to the
"all-subnet-clients" tag), as in the configuration you kindly sent
yesterday:
'''
define-tag: "test-client"
access-control-tag: 10.0.0.1/32 "test-client"
'''

and then update the RPZ tags definition:
'''
rpz:
     ...
     tags: "all-subnet-clients test-client"
     ...
'''

I get exactly what I wanted: an A query from 10.0.0.1 for
"test.internal" resolves to 10.0.0.1, and an A query from 10.0.0.1
for "hello.test.com" returns NXDOMAIN. I was then able to reproduce
the "bypass tagged RPZ behavior" by removing all the test-client tag
definitions (reproduced twice for good measure before writing to the
list this time :-) ).

Thanks,
Otto