RPZ rule to apply to NS record requests?

John Thurston john.thurston at alaska.gov
Tue Nov 16 17:30:10 UTC 2021

On 11/16/2021 2:41 AM, Tony Finch wrote:
> John Thurston <john.thurston at alaska.gov> wrote:
>> If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer
>> to be sent for a specific record-type for a specific name:
>>     foo.bar.com  IN  A
>>     foo.bar.com  IN TXT "Hello World"
>> But I can't seen to define one for the record-type NS
>> Is this possible?
> The RPZ documentation doesn't say you can't include NS records as "local
> data", but I guess you might trip over BIND's checks for what makes sense
> at a zone cut: in a normal zone you can't have A and TXT and NS at the
> same name (unless it's the zone apex).
> But even if it did work, it's unlikely to do what you want. (You didn't
> say why you want NS records so that's a somewhat risky assumption...)

TLDR; I'm trying to cover up someone else's mess

I didn't describe the reason because it is painful.

We use products from Major Software (hereafter referred to as MS). They 
use DNS to provide pointers to public and private versions of similar 
services. These pointers are served from public or private authoritative 
servers owned and operated by MS. The zones defined on the public 
authorities contain both SOA and NS records for each zone. The zones 
defined on the private authorities have only the SOA records.

Per RFC, an SOA and NS are the minimal records required of a zone. When 
we define forward-zones in our internal resolvers (e.g. Please send 
queries for these private names directly to this MS resolver), our 
automated monitoring system goes berserk. "Danger! Danger! The zone 
privatelink.MS.net is invalid! It has no NS record!! Danger! Something 
is wrong! Stop forwarding! Call the Authorities!"

I recognize MS probably doesn't care they are serving up an invalid 
zone. I also recognize that my bosses probably are not going to quit 
using products and services from MS. I don't want to try to dismantle 
(or cripple) the monitoring system which is keeping an eye on all the 
other zones for which we forward. I'm, therefore, left trying to imagine 
someway to abuse something in my control so my monitoring system doesn't 
notice these private MS zones are invalid.

I had _hoped_ I could use an RPZ to say:
   privatelink.MS.net  IN  NS

My monitoring system would query DNS, find the SOA (from the real 
authorities) and an NS (from my RPZ) and go away happy.

I recognize that the correct answer is to convince MS to correctly 
publish their private zones. But after a couple of decades of working 
with products from Major Software, I have more confidence I'll score on 
the next Powerball than they will acknowledge the deficiency (let alone 
consider correcting it).

Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska

More information about the bind-users mailing list