RPZ rule to apply to NS record requests?
john.thurston at alaska.gov
Tue Nov 16 17:30:10 UTC 2021
On 11/16/2021 2:41 AM, Tony Finch wrote:
> John Thurston <john.thurston at alaska.gov> wrote:
>> If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer
>> to be sent for a specific record-type for a specific name:
>> foo.bar.com IN A 10.11.12.13
>> foo.bar.com IN TXT "Hello World"
>> But I can't seen to define one for the record-type NS
>> Is this possible?
> The RPZ documentation doesn't say you can't include NS records as "local
> data", but I guess you might trip over BIND's checks for what makes sense
> at a zone cut: in a normal zone you can't have A and TXT and NS at the
> same name (unless it's the zone apex).
> But even if it did work, it's unlikely to do what you want. (You didn't
> say why you want NS records so that's a somewhat risky assumption...)
TLDR; I'm trying to cover up someone else's mess
I didn't describe the reason because it is painful.
We use products from Major Software (hereafter referred to as MS). They
use DNS to provide pointers to public and private versions of similar
services. These pointers are served from public or private authoritative
servers owned and operated by MS. The zones defined on the public
authorities contain both SOA and NS records for each zone. The zones
defined on the private authorities have only the SOA records.
Per RFC, an SOA and NS are the minimal records required of a zone. When
we define forward-zones in our internal resolvers (e.g. Please send
queries for these private names directly to this MS resolver), our
automated monitoring system goes berserk. "Danger! Danger! The zone
privatelink.MS.net is invalid! It has no NS record!! Danger! Something
is wrong! Stop forwarding! Call the Authorities!"
I recognize MS probably doesn't care they are serving up an invalid
zone. I also recognize that my bosses probably are not going to quit
using products and services from MS. I don't want to try to dismantle
(or cripple) the monitoring system which is keeping an eye on all the
other zones for which we forward. I'm, therefore, left trying to imagine
someway to abuse something in my control so my monitoring system doesn't
notice these private MS zones are invalid.
I had _hoped_ I could use an RPZ to say:
privatelink.MS.net IN NS 127.0.0.1
My monitoring system would query DNS, find the SOA (from the real
authorities) and an NS (from my RPZ) and go away happy.
I recognize that the correct answer is to convince MS to correctly
publish their private zones. But after a couple of decades of working
with products from Major Software, I have more confidence I'll score on
the next Powerball than they will acknowledge the deficiency (let alone
consider correcting it).
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
More information about the bind-users