Removal notice: Response Policy Server (BIND 9.21+)
Paul Vixie
paul at redbarn.org
Thu Aug 22 04:22:44 UTC 2024
If that's how it worked then it was indeed an error. That was not Farsight's goal or my understanding. In any case RPZ no longer needs special code from anywhere and I share your joy about that.
p vixie
On Aug 21, 2024 00:55, Ondřej Surý <ondrej at isc.org> wrote:
No, it didn’t work with any policy. The feature required librpz.so that was a binary blob provided to Farsight customers. It was wrong to accept this code into BIND 9 in the first place. BIND 9 already had working RPZ implementation and the effort would be better spent on improving RPZ for everyone.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
On 21. 8. 2024, at 9:26, Paul Vixie <paul at redbarn.org> wrote:
It worked with any policy source not just Farsight. However, is no longer necessary since isc now has a native RPZ implementation. Thanks for that.
p vixie
On Aug 20, 2024 23:55, Ondřej Surý <ondrej at isc.org> wrote:
Hello,
In line with ISC's deprecation policy, I am notifying the mailing list
of our intent to remove support for Response-Policy Server support.
Back in 2018, Farsight Security[1] contributed a patch to BIND that was
an optional replacement to our native RPZ implementation. At that time,
our RPZ implementation wasn’t scaling very well, and we accepted
the patch. This patch, however, only worked with Farsight’s own RPZ
service, so its utility is limited to Farsight customers. We do not think
this patch really belongs in open source BIND 9 version. Removing the
feature that has limited user-base will allow us to improve the RPZ
(Response-Policy Zones) feature that's native to BIND 9 and available
to all BIND 9 users.
The feature is called DNSRPS, or the Response Policy Server. Farsight
called it “FastRPZ”, but in the ARM it is called the Response Policy Server[2].
The support for DNSRPS/FastRPZ will be deprecated as of BIND 9.20
and removed in BIND 9.21/9.22.
1. Since then Farsight Security has been acquired by DomainTools.
2. https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-dnsrps-enable.
Cheers,
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
--
bind-announce mailing list
bind-announce at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240821/d68089b9/attachment.htm>
More information about the bind-users
mailing list