Changes in RPZ behaviour between versions

Daniel Stirnimann daniel.stirnimann at
Tue Jun 2 12:19:03 UTC 2020

Hello Paulo,

I noticed the same some time ago and made an issue on

For your information, you cannot whitelist with wildcards anymore
starting from bind 9.14.6 and newer.

What still works is if the blacklist contains a wildcard then you can
whitelist this with the same wildcard. For example, you can add the
following to rpz1:

*  IN CNAME        rpz-passthru.


On 02.06.20 13:58, Paulo Cáceres wrote:
> Hi list,
> I'm writing this email to ask if the changes I detected in bind
> behaviour are as expected or I'm facing some unexpected behaviour.
> I searched for this, without success, so now I'm posting this issue I
> found between bind versions, 9.14.5 and 9.16.3.
> I have an old testing machine running bind 9.14.5 with RPZ zones. The
> first one (rpz1) is working as an whitelist and the second one (rpz2) is
> automatic populated, as you can check in config bellow:
> response-policy {
>                 zone "rpz1";
>                 zone "rpz2";
>         } qname-wait-recurse no break-dnssec yes;
> For example, in rpz1 zone I have something like this:
>              IN CNAME        rpz-passthru.
> *            IN CNAME        rpz-passthru.
> And, for example, in rpz2 zone, which are automatic populated, at same
> point may have:
> IN CNAME        secure.test.
> *       IN CNAME        secure.test.
> when this config is running on the machine with bind 9.14.5, if you
> query it for, it simply passthru it because it match on the
> rpz1 zone (*, acting as whitelist as expected. 
> If I run the same query on a new machine with bind 9.16.3, running the
> same config, it will rewrite it to secure.test, matching it in the rpz2
> zone.
> Is this second result (on the last version) the expected behaviour? What
> version are deviating from the expected one?
> Best regards,
> Paulo
> _______________________________________________
> Please visit to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at for more information.

More information about the bind-users mailing list