Changes in RPZ behaviour between versions

Paulo Cáceres paulo.caceres at ADP.PT
Tue Jun 2 11:58:52 UTC 2020

Hi list,
I'm writing this email to ask if the changes I detected in bind
behaviour are as expected or I'm facing some unexpected behaviour.

I searched for this, without success, so now I'm posting this issue I
found between bind versions, 9.14.5 and 9.16.3.

I have an old testing machine running bind 9.14.5 with RPZ zones. The
first one (rpz1) is working as an whitelist and the second one (rpz2)
is automatic populated, as you can check in config bellow:

response-policy {
                zone "rpz1";
                zone "rpz2";
        } qname-wait-recurse no break-dnssec yes;

For example, in rpz1 zone I have something like this:              IN CNAME        rpz-passthru.
*            IN CNAME        rpz-passthru.

And, for example, in rpz2 zone, which are automatic populated, at same
point may have: IN CNAME        secure.test.
*       IN CNAME        secure.test.

when this config is running on the machine with bind 9.14.5, if you
query it for, it simply passthru it because it match on
the rpz1 zone (*, acting as whitelist as expected. 
If I run the same query on a new machine with bind 9.16.3, running the
same config, it will rewrite it to secure.test, matching it in the rpz2

Is this second result (on the last version) the expected behaviour? 
What version are deviating from the expected one?

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the bind-users mailing list