<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<span><strong class="command"></strong></span>Configure sortlists to
push those bad A records to the end of the response. This may on the
surface seem like a kludge, but remember, the whole point of
sortlists is to give preference to certain addresses over others,
and IMO, a working/reachable address is "preferred" over one that
isn't working or isn't reachable :-)<br>
<br>
- Kevin<br>
On 6/9/2012 11:23 PM, Andris Kalnozols wrote:
<blockquote cite="mid:4FD41317.9010501@hpl.hp.com" type="cite">I
have the following issue:
<br>
<br>
* A domain name which our organization does not control is used
<br>
for authentication. It returns 40 A records which point to
<br>
various MS Active Directory servers throughout the company.
<br>
<br>
* A few of these A records point to non-functioning hosts and
<br>
cause delays for clients which have the bad luck to encounter
<br>
a bad server as the first A record in their DNS response.
<br>
<br>
The BIND 9.9.1 ARM describes two methods of content filtering:
<br>
<br>
deny-answer-addresses
<br>
---------------------
<br>
This is an all-or-nothing feature that returns a SERVFAIL
response
<br>
if *any* address in its match list is returned in the answer
<br>
section. No selective filtering seems possible.
<br>
<br>
response-policy
<br>
---------------
<br>
I configured a simple RPZ as follows:
<br>
<br>
options {
<br>
...
<br>
response-policy (zone "hpl-rpz"; };
<br>
};
<br>
zone "hpl-rpz" {
<br>
type master;
<br>
file "db.hpl-rpz";
<br>
allow-query { localhost; };
<br>
};
<br>
<br>
The RPS zone has the following policy records:
<br>
<br>
32.121.184.205.16.rpz-ip CNAME *. ; NODATA
<br>
32.24.52.228.16.rpz-ip CNAME *.
<br>
8.0.0.0.16.rpz-ip CNAME 8.0.0.0.16. ; PASSTHRU
<br>
<br>
Again, this functions as an all-or-nothing filter with or
without
<br>
the passthru record. A NODATA response is returned for the
domain
<br>
name instead of an answer with 38 good A records.
<br>
<br>
I don't want to go down the road of hardcoding my resolvers to be
<br>
authoritative for this domain name. Is RPZ or some other BIND
<br>
feature capable of telling little white lies of omission or just
<br>
big whoppers when it comes to domain names with multiple
addresses?
<br>
<br>
------
<br>
Andris
<br>
<br>
_______________________________________________
<br>
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to
unsubscribe from this list
<br>
<br>
bind-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
<br>
<br>
</blockquote>
<br>
</body>
</html>