Changes in RPZ behaviour between versions

Paulo Cáceres paulo.caceres at ADP.PT
Tue Jun 2 13:12:20 UTC 2020

Hello Daniel,thanks for your response.
I also noticed that if didn't exist on rpz2, it simply
match on rpz1 in * entry, so for me it was like some bug. This
was why I posted here to check if someone else experienced the same
behaviour and it if it was not some kind of expected change into bind.
This problem with wildcards will give a lots of work to who have rpz
zones updated automatically, so I hope it can go back to what it was.
Thanks again and I hope that someone took your open issue ;).
On Tue, 2020-06-02 at 14:19 +0200, Daniel Stirnimann wrote:
> Hello Paulo,
> I noticed the same some time ago and made an issue on
> For your information, you cannot whitelist with wildcards
> anymorestarting from bind 9.14.6 and newer.
> What still works is if the blacklist contains a wildcard then you
> canwhitelist this with the same wildcard. For example, you can add
> thefollowing to rpz1:
> *  IN CNAME        rpz-passthru.
> Daniel
> On 02.06.20 13:58, Paulo Cáceres wrote:Hi list,I'm writing this email
> to ask if the changes I detected in bindbehaviour are as expected or
> I'm facing some unexpected behaviour.
> I searched for this, without success, so now I'm posting this issue
> Ifound between bind versions, 9.14.5 and 9.16.3.
> I have an old testing machine running bind 9.14.5 with RPZ zones.
> Thefirst one (rpz1) is working as an whitelist and the second one
> (rpz2) isautomatic populated, as you can check in config bellow:
> response-policy {                zone "rpz1";                zone
> "rpz2";        } qname-wait-recurse no break-dnssec yes;
> For example, in rpz1 zone I have something like
>              IN CNAME        rpz-
> passthru.*            IN CNAME        rpz-passthru.
> And, for example, in rpz2 zone, which are automatic populated, at
> samepoint may IN
> CNAME        secure.test.*       IN
> CNAME        secure.test.
> when this config is running on the machine with bind 9.14.5, if
> youquery it for, it simply passthru it because it match
> on therpz1 zone (*, acting as whitelist as expected. If I
> run the same query on a new machine with bind 9.16.3, running thesame
> config, it will rewrite it to secure.test, matching it in the
> rpz2zone.
> Is this second result (on the last version) the expected behaviour?
> Whatversion are deviating from the expected one?
> Best regards,Paulo
> _______________________________________________Please visit 
> to unsubscribe from
> this list
> ISC funds the development of this software with paid support
> subscriptions. Contact us at for more
> information.
Paulo Cáceres
SIN-Área de Sistemas de Informação

Escritório/Sede: Fábrica de Água de Alcântara, Avenida de Ceuta | 1300-254 LISBOA | Tel: 213107900 |

Tenha uma EcoAtitude. Imprima este e-mail apenas se necessário.Esta mensagem e os ficheiros anexos podem conter informação confidencial ou interna. Se, por engano, receber esta mensagem, solicita-se que informe de imediato o remetente e que elimine a mensagem e ficheiros anexos sem os reproduzir.
This message and any files herewith attached may contain confidential or internal information. If you receive this message in error, please notify us immediately and delete this message and any files attached without copying them in any way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image00200.jpg
Type: image/jpeg
Size: 9341 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 17027 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the bind-users mailing list