RPZ and Views Interaction

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Wed Jan 29 09:32:58 UTC 2025 

Hi Otto,

Each prefix entry creates an access control item that holds the relevant 
tag and view information.

So,
10.0.0.0/24 is one entry with the tag "all-subnet-clients" and no view.
10.0.0.1/32 is another entry with no tags and the "test-client" view.

When a query comes in it will be assigned the most specific access 
control item.

10.0.0.1 will get no tags and the "test-client" view.
10.0.0.2 will get the "all-subnet-clients" tag and no view.

There is no logic to try and spread, in your example, the less specific 
tag/view information to most specific items.
I guess that would also not allow for overrides for most specific networks.

I haven't tried to reproduce anything this time so if I missed something 
let me know.

Best regards,
-- Yorgos



On 29/01/2025 05:27, Otto Retter via Unbound-users wrote:
> Hi Yorgos,
> 
> Actually, I did get similar behavior again and was hoping to get
> further clarification. It's very likely just a misunderstanding on
> my behalf of how tags and views work!
> 
> When I define tags exactly like so (note: no test-client tag this
> time):
> '''
> define-tag: "all-subnet-clients"
> access-control-tag: 10.0.0.0/24 "all-subnet-clients"
> '''
> 
> and then have views defined like so:
> '''
> access-control-view: 10.0.0.1/32 test-client
> 
> view:
>      name: "test-client"
>      view-first: yes
>      local-zone: "test.internal" static
>      local-data: "test.internal A 10.0.0.1"
> '''
> 
> I do get back "10.0.0.1" when querying "test.internal" from 10.0.0.1,
> as expected. However, when RPZ is defined as:
> '''
> rpz:
>       name: "rpz.test.zone"
>       zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
>       rpz-action-override: nxdomain
>       rpz-log: yes
>       rpz-log-name: "rpz.test"
>       tags: "all-subnet-clients"
> '''
> 
> and containing a line like "*.test.com CNAME ." in rpz.test.zone, I
> was expecting a query for "hello.test.com" from 10.0.0.1 to get the
> "all-subnet-clients" tag and return NXDOMAIN, but instead it seems
> to bypass tagged RPZ and recurse. Is that intended behavior? Please
> note that I do see _untagged_ (global) RPZ zones being successfully
> applied to queries coming from 10.0.0.1.
> 
> If I explicitly define a "test-client" tag (in addition to the
> "all-subnet-clients" tag), as in the configuration you kindly sent
> yesterday:
> '''
> define-tag: "test-client"
> access-control-tag: 10.0.0.1/32 "test-client"
> '''
> 
> and then update the RPZ tags definition:
> '''
> rpz:
>      ...
>      tags: "all-subnet-clients test-client"
>      ...
> '''
> 
> I get exactly what I wanted: an A query from 10.0.0.1 for
> "test.internal" resolves to 10.0.0.1, and an A query from 10.0.0.1
> for "hello.test.com" returns NXDOMAIN. I was then able to reproduce
> the "bypass tagged RPZ behavior" by removing all the test-client tag
> definitions (reproduced twice for good measure before writing to the
> list this time :-) ).
> 
> Thanks,
> Otto

More information about the Unbound-users mailing list