<div dir="ltr">Correct and thats what my confusion is. <div>So,
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">file "zone/</span><a href="http://test.rpz.dotat.at/" rel="noreferrer" target="_blank" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">test.rpz.dotat.at</a> will hold all my wall-gardened zones? And I just need keep adding my domain list in that?</div><div><br></div><div><br><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 17, 2018 at 5:16 PM, Tony Finch <span dir="ltr"><<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Blason R <<a href="mailto:blason16@gmail.com">blason16@gmail.com</a>> wrote:<br>
><br>
> I am building DNS RPZ and I am complete no-vice. I will be having around<br>
> 10-20k zones which my DNS will be wallgardening.<br>
><br>
> Just wondering how this can be done with DNZ RPZ? Since the zones has to be<br>
> included in named.conf.<br>
<br>
</span>It sounds to me like you are getting muddled up between the old pre-RPZ<br>
way of blocking domains, and the way to do it with RPZ.<br>
<br>
The old way was to configure a local authoritative zone which would catch<br>
queries for a domain that you wanted to block - if you wanted tens of<br>
thousands of blocks you needed tens of thousands of local zones. Not much<br>
fun.<br>
<br>
The RPZ way only requires one zone, and each blocked domain is an entry in<br>
that zone. A zone with tens of thousands of records is easy.<br>
<br>
So, for example, my named.conf includes:<br>
<br>
# ...<br>
response-policy {<br>
zone "<a href="http://test.rpz.dotat.at" rel="noreferrer" target="_blank">test.rpz.dotat.at</a>";<br>
}<br>
break-dnssec yes<br>
max-policy-ttl 5m<br>
qname-wait-recurse no<br>
;<br>
# ...<br>
zone <a href="http://test.rpz.dotat.at" rel="noreferrer" target="_blank">test.rpz.dotat.at</a> {<br>
type master;<br>
file "zone/<a href="http://test.rpz.dotat.at" rel="noreferrer" target="_blank">test.rpz.dotat.at</a>";<br>
masterfile-format raw;<br>
update-policy local;<br>
};<br>
# ...<br>
<br>
And in the zone file:<br>
<br>
$ORIGIN <a href="http://test.rpz.dotat.at" rel="noreferrer" target="_blank">test.rpz.dotat.at</a>.<br>
$TTL 3600<br>
@ IN SOA <a href="http://grey.dotat.at" rel="noreferrer" target="_blank">grey.dotat.at</a>. <a href="http://dot.dotat.at" rel="noreferrer" target="_blank">dot.dotat.at</a>. (<br>
69 3600 3600 604800 3600 )<br>
NS <a href="http://grey.dotat.at" rel="noreferrer" target="_blank">grey.dotat.at</a>.<br>
<a href="http://badguy.com" rel="noreferrer" target="_blank">badguy.com</a> CNAME .<br>
*.<a href="http://badguy.com" rel="noreferrer" target="_blank">badguy.com</a> CNAME .<br>
<a href="http://pills.biz" rel="noreferrer" target="_blank">pills.biz</a> CNAME .<br>
*.<a href="http://pills.biz" rel="noreferrer" target="_blank">pills.biz</a> CNAME .<br>
; more blocked domains...<br>
<span class="HOEnZb"><font color="#888888"><br>
Tony.<br>
-- <br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> <a href="http://dotat.at/" rel="noreferrer" target="_blank">http://dotat.at/</a><br>
partnership and community in all areas of life<br>
</font></span></blockquote></div><br></div>