RPZ - override TXT records
Wolfgang Riedel
wolfgang at cisco.com
Tue Oct 13 22:14:32 UTC 2015
Hi Mukund,
Hi John,
I would need a way to insert oder override a TXT record while still don’t touch all other records and let then pass through in a transparent way.
So just having this would be best for my use-case but this removes all other RR.
www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD”
As I have learned this is not going to work:
www.cisco.com CNAME rpz-passthru.
www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD”
and I need to take this path:
wolfgang.dns-as.org A 193.34.28.108
wolfgang.dns-as.org TXT "CISCO-CLS=app-name:RPZ|app-class:TD”
If the latter is the only solution which can’t scale as this could change without me getting a notice my approach will not work ;-((
If we agree that I am not doing something wrong and this seems to be a corner case does this implies the current BIND RPZ behavior works as designed or is more like a bug?
Any other idea how this could be solved or do I need to write a script running dig to constantly update the A record inside my RPZ zone file to keep it current?
Many thanks,
Wolfgang
> On 12 Oct 2015, at 10:59AM, Mukund Sivaraman <muks at isc.org> wrote:
>
> Hi Wolfgang
>
> On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote:
>> Hi Folks,
>>
>> I am currently struggling with using RPZ for inserting or overriding TXT
>> resource records.
>>
>> This is my goal:
>>
>> ; do not rewrite www.cisco.com (so, PASSTHRU) and add or override
>> missing metadata
>> www.cisco.com CNAME rpz-passthru.
>> www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
>>
>> What work's is that I can do one or the other but not both at the same time
>> if I need to use a CNAME.
>>
>> This works:
>>
>> wolfgang.dns-as.org A 193.34.28.108
>> wolfgang.dns-as.org TXT "CISCO-CLS=app-name:RPZ|app-class:TD"
>>
>> but in reality this will not work for CDN or load-balanced sites which don't
>> have fixed IP address.
>>
>> Any hint's what I am doing wrong?
>
> You aren't doing anything wrong. Yours is a corner case.
>
> I hope I understood what you're trying to do correctly: From the zone
> comment, perhaps you want the TXT query type to return the TXT RDATA
> you've supplied and everything else passthru to regular processing. It
> can't be done as triggers don't use the question's TYPE field.
>
> An alternative is to include all the RRs for that QNAME in the answer
> (your second example). Yours is a weird case, because you can't use the
> following in the policy zone which named wouldn't allow loading (it
> won't allow CNAME to coexist):
>
> www.cisco.com CNAME www.cisco.com.akadns.net.
> www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
>
> So using the A record (your second example) or adding triggers for the
> target of the CNAME record chain are your best bet. As the latter
> varies, perhaps the former for your region would be best.
>
> Mukund
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20151014/210cf1d2/attachment-0003.html>
More information about the bind-users
mailing list