Removal notice: Response Policy Server (BIND 9.21+)

Ondřej Surý ondrej at isc.org
Wed Aug 21 07:55:09 UTC 2024 

No, it didn’t work with any policy. The feature required librpz.so that was a binary blob provided to Farsight customers. It was wrong to accept this code into BIND 9 in the first place. BIND 9 already had working RPZ implementation and the effort would be better spent on improving RPZ for everyone.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 21. 8. 2024, at 9:26, Paul Vixie <paul at redbarn.org> wrote:
> 
> 
> It worked with any policy source not just Farsight. However, is no longer necessary since isc now has a native RPZ implementation. Thanks for that.
> 
> p vixie
> 
> On Aug 20, 2024 23:55, Ondřej Surý <ondrej at isc.org> wrote:
> Hello,
> 
> In line with ISC's deprecation policy, I am notifying the mailing list
> of our intent to remove support for Response-Policy Server support.
> 
> Back in 2018, Farsight Security[1] contributed a patch to BIND that was
> an optional replacement to our native RPZ implementation. At that time,
> our RPZ implementation wasn’t scaling very well, and we accepted
> the patch. This patch, however, only worked with Farsight’s own RPZ
> service, so its utility is limited to Farsight customers. We do not think
> this patch really belongs in open source BIND 9 version. Removing the
> feature that has limited user-base will allow us to improve the RPZ
> (Response-Policy Zones) feature that's native to BIND 9 and available
> to all BIND 9 users.
> 
> The feature is called DNSRPS, or the Response Policy Server. Farsight
> called it “FastRPZ”, but in the ARM it is called the Response Policy Server[2].
> 
> The support for DNSRPS/FastRPZ will be deprecated as of BIND 9.20
> and removed in BIND 9.21/9.22.
> 
> 1. Since then Farsight Security has been acquired by DomainTools.
> 2. https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-dnsrps-enable.
> 
> Cheers,
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
> 
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> 
> --
> bind-announce mailing list
> bind-announce at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-announce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240821/9be2f7eb/attachment.htm>

More information about the bind-users mailing list