Changes in RPZ behaviour between versions
Daniel Stirnimann
daniel.stirnimann at switch.ch
Tue Jun 2 12:19:03 UTC 2020
Hello Paulo,
I noticed the same some time ago and made an issue on gitlab.isc.org:
https://gitlab.isc.org/isc-projects/bind9/-/issues/1619
For your information, you cannot whitelist with wildcards anymore
starting from bind 9.14.6 and newer.
What still works is if the blacklist contains a wildcard then you can
whitelist this with the same wildcard. For example, you can add the
following to rpz1:
*.tst.test.com IN CNAME rpz-passthru.
Daniel
On 02.06.20 13:58, Paulo Cáceres wrote:
> Hi list,
> I'm writing this email to ask if the changes I detected in bind
> behaviour are as expected or I'm facing some unexpected behaviour.
>
> I searched for this, without success, so now I'm posting this issue I
> found between bind versions, 9.14.5 and 9.16.3.
>
> I have an old testing machine running bind 9.14.5 with RPZ zones. The
> first one (rpz1) is working as an whitelist and the second one (rpz2) is
> automatic populated, as you can check in config bellow:
>
> response-policy {
> zone "rpz1";
> zone "rpz2";
> } qname-wait-recurse no break-dnssec yes;
>
> For example, in rpz1 zone I have something like this:
> test.com IN CNAME rpz-passthru.
> *.test.com IN CNAME rpz-passthru.
>
> And, for example, in rpz2 zone, which are automatic populated, at same
> point may have:
> tst.test.com IN CNAME secure.test.
> *.tst.test.com IN CNAME secure.test.
>
> when this config is running on the machine with bind 9.14.5, if you
> query it for tst.test.com, it simply passthru it because it match on the
> rpz1 zone (*.test.com), acting as whitelist as expected.
> If I run the same query on a new machine with bind 9.16.3, running the
> same config, it will rewrite it to secure.test, matching it in the rpz2
> zone.
>
> Is this second result (on the last version) the expected behaviour? What
> version are deviating from the expected one?
>
> Best regards,
> Paulo
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
More information about the bind-users
mailing list