<div dir="ltr">I have not yet received an answer to my query. It appears that when using RPZ to return bogus addresses it will respond to queries for CNAME, MX, and SRV records. However, if the target name of those records is expected to resolve outside of RPZ, then the name needs to be terminated with a period (normal FQDN). If the target name is in RPZ it should not be terminated with a period. Apparently when doing the recursion required to resolve the target names, bind doesn't use RPZ. Is this the correct behaviour? Details are in my previous posts.<div><br></div><div>Regards,</div><div><br></div><div>Bob</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 16, 2015 at 2:07 PM, Bob McDonald <span dir="ltr"><<a href="mailto:bmcdonaldjr@gmail.com" target="_blank">bmcdonaldjr@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Requested information:<div><br></div><div><div>options {</div><div> directory "/opt/incontrol/dns/db";</div><div> allow-query { 127.0.0.1; rfc1918-nets; };</div><div> also-notify { 172.26.100.10 port 5053 ; 172.26.100.11 ; };</div><div> listen-on { 127.0.0.1; };</div><div> listen-on { 172.26.99.160; };</div><div> listen-on-v6 { none; };</div><div> masterfile-format text;</div><div> empty-zones-enable no;</div><div> notify-source 172.26.99.160 ;</div><div> version none;</div><div> server-id hostname ;</div><div> query-source address 172.26.99.160 ;</div><div> forward only ;</div><div> forwarders { 172.26.1.9; 172.26.1.12; };</div><div> allow-notify { any ; };</div><div> allow-transfer { any; };</div><div> allow-update { any ; };</div><div> response-policy { zone "rpz-zone01"policy given max-policy-ttl 28800 ;</div><div> zone "rpz-zone02"policy given max-policy-ttl 28800 ; };</div><div> notify explicit ;</div><div> transfer-source 172.26.99.160 ;</div><div> check-names master warn ;</div><div> check-names slave warn ;</div><div> pid-file "/opt/incontrol/etc/named.pid";</div><div>};</div></div><div>zone "rpz-zone01" {<br></div><div><div> type master;</div><div> file "db.rpz-zone01";</div><div> forwarders { };</div><div>};</div><div><br></div><div>zone "rpz-zone02" {</div><div> type master;</div><div> file "db.rpz-zone02";</div><div> forwarders { };</div><div>};</div><div><br></div></div><div><div>$TTL 28800</div><div><br></div><div>@ IN SOA sapphire-x5-agent.pcn.local. <a href="http://hostmaster.pcn-inc.com" target="_blank">hostmaster.pcn-inc.com</a>. (</div><div> 9 ; Serial</div><div> 86400 ; Refresh</div><div> 900 ; Retry</div><div> 3600000 ; Expire</div><div> 300 ) ; Negative cache TTL</div><div><br></div><div>;-----------------------------</div><div>; NS Records</div><div>;-----------------------------</div><div> NS sapphire-x5-agent.pcn.local.</div><div> NS sapphire-agent-00.pcn.local.</div><div>sapphire-x5-agent.pcn.local. IN A 172.26.99.160</div><div>sapphire-agent-00.pcn.local. IN A 172.26.100.11</div><div><br></div><div>;-----------------------------</div><div>; Resource Records for rpz-zone02.</div><div>;-----------------------------</div><div>$ORIGIN rpz-zone02.</div><div>$TTL 28800</div><div><br></div><div><a href="http://www.arqiva.com" target="_blank">www.arqiva.com</a> 28800 IN CNAME <a href="http://www.arqiva-integration.com" target="_blank">www.arqiva-integration.com</a>.</div><div><a href="http://www.arqiva-integration.com" target="_blank">www.arqiva-integration.com</a> 28800 IN A 83.138.41.100</div><div><br></div></div><div><br></div><div>Let me know what else you need.</div><div><br></div><div>Regards,</div><div><br></div><div>Bob</div><div><br></div><div><br></div></div>
</blockquote></div><br></div>