Internal CNAME in RPZ

m3047 m3047 at m3047.net
Wed Oct 23 21:11:01 UTC 2019


Eh? I don't understand this. Response Policy Zones are /zones/, as the 
nomenclature implies: they are maintained, transferred, managed with zone 
handling machinery.

On Wed, 23 Oct 2019, julien soula wrote:
> 
> On Wed, Oct 23, 2019 at 10:21:08PM +0500, Andrey Geyn wrote:
>
>> In my test (I have BIND 9.11.3-1ubuntu1.9-Ubuntu) I have following named.conf:
>> """
>> options {
>>         response-policy {zone "rpz"; };
>> }
>> zone "rpz" {
>>         type master;
>>         file "/etc/bind/rpz.zone";
>> };
>
> RPZ zone is only use internally to Bind. It doesn't need to be
> resolvable outside. So you can skip the zone declaration.
>
> If you need zone declaration (cause you have slaves for this zone),
> you can restrict access to it by adding "allow-query { slaves... };"
> on master and "allow-query {};" on slaves.

Probably doesn't need to be queryable by the outside world, no. But this 
doesn't indicate what access controls are or are not in place. I can 
assure you that on the machine that masters my RPZ, I update it with 
dynamic updates (that's what net-dns.pl does), and it's declared just 
about like that.

It is handy to be able to query the RPZ as a legitimate zone for debugging 
and management purposes, case in point.

--

Fred Morris



More information about the bind-users mailing list