Changes in RPZ behaviour between versions

Daniel Stirnimann daniel.stirnimann at switch.ch
Tue Jun 2 12:19:03 UTC 2020


Hello Paulo,

I noticed the same some time ago and made an issue on gitlab.isc.org:

https://gitlab.isc.org/isc-projects/bind9/-/issues/1619

For your information, you cannot whitelist with wildcards anymore
starting from bind 9.14.6 and newer.

What still works is if the blacklist contains a wildcard then you can
whitelist this with the same wildcard. For example, you can add the
following to rpz1:

*.tst.test.com  IN CNAME        rpz-passthru.


Daniel

On 02.06.20 13:58, Paulo Cáceres wrote:
> Hi list,
> I'm writing this email to ask if the changes I detected in bind
> behaviour are as expected or I'm facing some unexpected behaviour.
> 
> I searched for this, without success, so now I'm posting this issue I
> found between bind versions, 9.14.5 and 9.16.3.
> 
> I have an old testing machine running bind 9.14.5 with RPZ zones. The
> first one (rpz1) is working as an whitelist and the second one (rpz2) is
> automatic populated, as you can check in config bellow:
> 
> response-policy {
>                 zone "rpz1";
>                 zone "rpz2";
>         } qname-wait-recurse no break-dnssec yes;
> 
> For example, in rpz1 zone I have something like this:
> test.com              IN CNAME        rpz-passthru.
> *.test.com            IN CNAME        rpz-passthru.
> 
> And, for example, in rpz2 zone, which are automatic populated, at same
> point may have:
> tst.test.com IN CNAME        secure.test.
> *.tst.test.com       IN CNAME        secure.test.
> 
> when this config is running on the machine with bind 9.14.5, if you
> query it for tst.test.com, it simply passthru it because it match on the
> rpz1 zone (*.test.com), acting as whitelist as expected. 
> If I run the same query on a new machine with bind 9.16.3, running the
> same config, it will rewrite it to secure.test, matching it in the rpz2
> zone.
> 
> Is this second result (on the last version) the expected behaviour? What
> version are deviating from the expected one?
> 
> Best regards,
> Paulo
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


More information about the bind-users mailing list