Using a DLZ as RPZ?
Petr Špaček
pspacek at isc.org
Tue Dec 2 09:26:08 UTC 2025
On 02. 12. 25 0:11, Jesus Cea wrote:
> "fake" SOA in the ADDITIONAL section of the NXDOMAIN reply for allowing
> negative caching.
FTR SOA in ADDITIONAL section is only informative - basically saying
"this RPZ blocked it".
For negative caching you would have to put SOA into AUTHORITY section -
with correct zone name as SOA RR owner. Using random name might cause
retry storm from clients (if particular client implementation checks
things).
Figuring out correct zone cut to use as SOA RR owner might not be worth
the hassle. Just saying.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list