R: R: R: Three RPZ zone definition

Tony Finch dot at dotat.at
Fri May 20 11:18:13 UTC 2016


Job <Job at colliniconsulting.it> wrote:

> But, if i have two different zones (or three), in the response-policy
> sentence, can i trigger the Client only for a zone and not for the other
> zone?

> Some Client would not have to match together the two zones!

I think your question is answered by this part of the documentation:

: The query response is checked against all response policy zones, so two
: or more policy records can be triggered by a response. Because DNS
: responses are rewritten according to at most one policy record, a single
: record encoding an action (other than DISABLED actions) must be chosen.
: Triggers or the records that encode them are chosen for the rewriting in
: the following order:
:
: 1. Choose the triggered record in the zone that appears first in the
:    response-policy option.
:
: 2. Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP triggers in a
:    single zone.
:
: 3. Among NSDNAME triggers, prefer the trigger that matches the smallest
:    name under the DNSSEC ordering.
:
: 4. Among IP or NSIP triggers, prefer the trigger with the longest prefix.
:
: 5. Among triggers with the same prefix length, prefer the IP or NSIP
:    trigger that matches the smallest IP address.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Fitzroy: Variable 4 at first in southeast, otherwise southwesterly 5 to 7.
Moderate, occasionally rough in northwest. Rain or showers. Moderate or good,
occasionally poor.


More information about the bind-users mailing list