use RPZ to override AAAA record

Petr Menšík pemensik at redhat.com
Tue Nov 18 17:57:43 UTC 2025 

I think IPv6 link-local addresses in general do not work in general, 
because they need also interface scope_id parameter for initiating 
connection to that address.

I think resolvers should in general block any link-local addresses from 
anywhere. It works on Linux with mdns only (it can assign correct 
interface scope_id), never over DNS unicast responses.

I would prefer not doing this over RPZ, but by common option toggle in 
configuration. I cannot see a reason why would anyone want it enabled by 
default.

On 17/11/2025 16:18, Matus UHLAR - fantomas wrote:
> Hello,
>
> On 07.11.25 12:52, Crist Clark wrote:
>> I still don't understand why an RPZ entry of,
>>
>> 10.zz.fe80. IN CNAME *.
>>
>> Doesn't work for you. Is there a reason you just want to block IPv6 LL
>> addresses for this domain but allow for others?
>
> There's one more reason - in of domain pointing to linklocal address 
> space, I believe it's better to block access to the domain at proxy 
> level (as done by default).
>
> I needed to allow this one particular domain, the rest would better be 
> blocked as suspicious.
Can you share how are these addresses used? I think it can work only for 
specification of listening IP address. But then it should not need DNS 
protocol to resolve it. Would be enough nsswitch plugin used before dns?
>
>
> On 07.11.25 19:11, Lee wrote:
>> because it's missing rpz-ip?
>>
>> I've got
>>
>> ; return NXDOMAIN for any ipv6 link local address answer
>> 10.zz.fe80.rpz-ip       CNAME   .       ;  FE80::/10
>>
>> and it doesn't work for me :(
>
> On 09.11.25 09:10, Nick Tait via bind-users wrote:
>> This works for me (BIND 9.20.11):
>>
>> 10.zz.fe80.rpz-ip IN CNAME *.
>>
>> (You need to rewrite using NODATA, rather than NXDOMAIN.)
>
>
> Thanks guys, you helped me.
>
>
> I've had to search for some more complete description to RPZ so I 
> could feed like I know what I'm doing.
>
> Searching the internet for "rpz dns" produced many results describing 
> what does it do, but not many of them gave detailed list of options..
>
> Searching for "bind rpz" produced this document:
> https://www.isc.org/docs/BIND_RPZ.pdf
> - which unfortunately shows "ns-ip" instead of "rpz-ip" which quite 
> confused me.
>
>
> Looking at section 6.9 of the ARM produces the teoretical information 
> I found insufficient when browsing the net.
>
>
> Finally, the docs are buried in BIND arm REFERENCE (8.2.3.15)
> https://bind9.readthedocs.io/en/latest/reference.html#response-policy-zone-rpz-rewriting 
>
>
> and I can confirm this works, although globally for all responses.
>
>
> Thanks for cooperation.
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the bind-users mailing list