RPZ - override TXT records

Wolfgang Riedel wolfgang at cisco.com
Tue Oct 13 22:14:32 UTC 2015 

Hi Mukund,
Hi John,

I would need a way to insert oder override a TXT record while still don’t touch all other records and let then pass through in a transparent way.

So just having this would be best for my use-case but this removes all other RR.
	www.cisco.com TXT   "CISCO-CLS=app-name:HTTP|app-class:TD”

As I have learned this is not going to work:
www.cisco.com CNAME rpz-passthru.
www.cisco.com TXT   "CISCO-CLS=app-name:HTTP|app-class:TD”


and I need to take this path:
wolfgang.dns-as.org A       193.34.28.108
wolfgang.dns-as.org TXT     "CISCO-CLS=app-name:RPZ|app-class:TD”


If the latter is the only solution which can’t scale as this could change without me getting a notice my approach will not work ;-((
If we agree that I am not doing something wrong and this seems to be a corner case does this implies the current BIND RPZ behavior works as designed or is more like a bug?

Any other idea how this could be solved or do I need to write a script running dig to constantly update the A record inside my RPZ zone file to keep it current?

Many thanks,
Wolfgang

> On 12 Oct 2015, at 10:59AM, Mukund Sivaraman <muks at isc.org> wrote:
> 
> Hi Wolfgang
> 
> On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote:
>> Hi Folks,
>> 
>> I am currently struggling with using RPZ for inserting or overriding TXT
>> resource records.
>> 
>> This is my goal:
>> 
>>   ; do not rewrite www.cisco.com (so, PASSTHRU) and add or override
>>   missing metadata
>>   www.cisco.com CNAME rpz-passthru.
>>   www.cisco.com TXT     "CISCO-CLS=app-name:HTTP|app-class:TD"
>> 
>> What work's is that I can do one or the other but not both at the same time
>> if I need to use a CNAME.
>> 
>> This works:
>> 
>>   wolfgang.dns-as.org A       193.34.28.108
>>   wolfgang.dns-as.org TXT     "CISCO-CLS=app-name:RPZ|app-class:TD"
>> 
>> but in reality this will not work for CDN or load-balanced sites which don't
>> have fixed IP address.
>> 
>> Any hint's what I am doing wrong?
> 
> You aren't doing anything wrong. Yours is a corner case.
> 
> I hope I understood what you're trying to do correctly: From the zone
> comment, perhaps you want the TXT query type to return the TXT RDATA
> you've supplied and everything else passthru to regular processing. It
> can't be done as triggers don't use the question's TYPE field.
> 
> An alternative is to include all the RRs for that QNAME in the answer
> (your second example). Yours is a weird case, because you can't use the
> following in the policy zone which named wouldn't allow loading (it
> won't allow CNAME to coexist):
> 
> www.cisco.com                  CNAME www.cisco.com.akadns.net.
> www.cisco.com                  TXT   "CISCO-CLS=app-name:HTTP|app-class:TD"
> 
> So using the A record (your second example) or adding triggers for the
> target of the CNAME record chain are your best bet. As the latter
> varies, perhaps the former for your region would be best.
> 
> 		Mukund

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20151014/210cf1d2/attachment-0003.html>

More information about the bind-users mailing list