RPZ - how to modify NS records in answer?
John Horne
john.horne at plymouth.ac.uk
Fri Jun 21 16:19:46 UTC 2013
On Fri, 2013-06-21 at 17:11 +0100, John Horne wrote:
>
> My understanding is that RPZ can do this, but I just cannot seem to
> configure the RPZ zone file to enable this. The zone file contains:
> =====
> $TTL 1H
> @ SOA LOCALHOST. hostmaster.plymouth.ac.uk (1 1h
> 15m 30d 2h)
> NS LOCALHOST.
>
> dns1.plymouth.ac.uk.rpz-nsdomain CNAME *.
> =====
>
Hmm, I have just noticed that ARM says:
======
NSDNAME triggers match names of authoritative servers for the query
name, a parent of the query name, a CNAME for query name, or a parent of
a CNAME. They are encoded as subdomains of rpz-nsdomain relativized to
the RPZ origin name.
======
But the example zone file further down the page has the example:
ns.domain.com.rpz-nsdname CNAME .
So is 'rpz-nsdomain' wrong then in the zone file and 'rpz-nsdname'
should be used instead?
If I modify my zone file above to use 'rpz-nsdname' then the 'dig'
command gets a NXDOMAIN response. If I use '.' as the rdata I get a
NOERROR response but no ANSWER section, just an AUTHORITY section with
the RPZ zone SOA in it.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
More information about the bind-users
mailing list