R: R: R: Three RPZ zone definition
dot at dotat.at
Fri May 20 11:18:13 UTC 2016
Job <Job at colliniconsulting.it> wrote:
> But, if i have two different zones (or three), in the response-policy
> sentence, can i trigger the Client only for a zone and not for the other
> Some Client would not have to match together the two zones!
I think your question is answered by this part of the documentation:
: The query response is checked against all response policy zones, so two
: or more policy records can be triggered by a response. Because DNS
: responses are rewritten according to at most one policy record, a single
: record encoding an action (other than DISABLED actions) must be chosen.
: Triggers or the records that encode them are chosen for the rewriting in
: the following order:
: 1. Choose the triggered record in the zone that appears first in the
: response-policy option.
: 2. Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP triggers in a
: single zone.
: 3. Among NSDNAME triggers, prefer the trigger that matches the smallest
: name under the DNSSEC ordering.
: 4. Among IP or NSIP triggers, prefer the trigger with the longest prefix.
: 5. Among triggers with the same prefix length, prefer the IP or NSIP
: trigger that matches the smallest IP address.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fitzroy: Variable 4 at first in southeast, otherwise southwesterly 5 to 7.
Moderate, occasionally rough in northwest. Rain or showers. Moderate or good,
More information about the bind-users