rpz fail
Lee
ler762 at gmail.com
Tue Aug 27 17:10:32 UTC 2019
On 8/27/19, Tony Finch <dot at dotat.at> wrote:
> Lee <ler762 at gmail.com> wrote:
>>
>> Can someone please explain why using this as my rpz zone does NOT
>> block everything for *.2o7.net?
>>
>> 2o7.net CNAME .
>> *.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME .
>
> I suspect this is RPZ obeying the weird semantics of DNS wildcard
> matching. The * only matches if the answer would otherwise be NXDOMAIN
> (the name does not exist). The weirdness happens when there are subdomains
> that exist, because any parent names are NODATA (the name exists but has
> no records of the query type) which suppresses wildcard matching.
>
> So the third CNAME causes com.102.112.2o7.net and 102.112.2o7.net and
> 112.2o7.net to exist, so any names under those domains do not match the
> wildcard. In your example appleglobal.112.2o7.net is under 112.2o7.net so
> it doesn't match.
>
> For the long explanation see
> https://tools.ietf.org/html/rfc4592 - The Role of Wildcards in the Domain
> Name System
> https://tools.ietf.org/html/rfc8020 - NXDOMAIN: There Really Is Nothing
> Underneath
Thank you!
I posted a similar question on the dns firewall list
http://lists.redbarn.org/pipermail/dnsfirewalls/2019-August/000367.html
hopefully the rfcs you listed will help me understand the 'empty
non-terminals' thing
Regards,
Lee
More information about the bind-users
mailing list