<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
Thanks for taking the time Nick and Grant,</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
As mentioned in a separate reply to Grant, the goal is to have (amongst other things) local recursors "find" the locally deployed authoritative servers through NS records. What hasn't been mentioned is that I am also looking to simplify configuration management
 by means of a single set of data which can be deployed to all authoritative servers - I don't think the RPZ solution proposed by Nick achieves that.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
That being said, can RPZ-CLIENT-IP be a subnet? I don't think it can.<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
So aside from the anycast suggestion, is there anything else I can look at with bind itself?</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
 - I didn't find much with respect to limiting a sortlist response to the first X responses.<br>
 - Admittedly I don't very well understand the RPZ documentation but I get the feeling it is not the way to go.<br>
 - Views seem to require duplications of the whole zonefile (this might be the only way to go) - I did find mention of "attach-cache" but this seems to be more about performance than anything else. I could create views for all of my networks - this is automatable.</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
Thanks</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
Angus<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<br>
</div>
<div id="appendonsend"></div>
<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size: 11pt;" face="Calibri, sans-serif" color="#000000"><b>From:</b> bind-users <bind-users-bounces@lists.isc.org> on behalf of Nick Tait via bind-users <bind-users@lists.isc.org><br>
<b>Sent:</b> 14 May 2022 02:34<br>
<b>To:</b> bind-users@lists.isc.org <bind-users@lists.isc.org><br>
<b>Subject:</b> Re: per record responses based on originating IP</font>
<div> </div>
</div>
<div>
<div class="x_moz-cite-prefix">On 13/05/22 09:02, Grant Taylor via bind-users wrote:<br>
</div>
<blockquote type="cite">On 5/12/22 2:41 PM, Nick Tait via bind-users wrote: <br>
<blockquote type="cite">This sounds like exactly the sort of use case for Response Policy Zones:
<br>
</blockquote>
<br>
How are you going to have RPZ return different addresses for different clients?  Are you suggesting use different RPZs with different contents for different clients?
<br>
</blockquote>
<p>Yes, although now that I think through the details it turns out to be much messier than I first thought, because there doesn't seem to be a way to specify "not" in the RPZ...</p>
<p>Also I should point out that I'm assuming that a PASSTHRU result in one RPZ will still result in subsequent RPZs being processed. I haven't actually tested this, so its possible I'm misunderstanding the documentation?</p>
<p>Anyway in the interests of following this all the way though, let's assume you had 3 clients and you wanted them to each receive a different answer to the query "<a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.com%2F&data=05%7C01%7C%7C589fe7de17b74f5572de08da35419bf7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637880853152782803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lqcfFw8mM%2B5e9NEVLBLArSYuFjY6uZMRteO7BRyvlDU%3D&reserved=0" data-auth="Verified" class="x_moz-txt-link-abbreviated" originalsrc="http://www.example.com/" shash="sCj8SK7AaxMHXLh4pf/8n2OhuRd8jQqK4EINUJmoVLCdstlQd3EjnlZ3mASHc4DyCEM3dnSgBG81/EDGtkaFojs6lQmi+kqWJnEn725TgIJAPrqQ01dS43a2PcaFWeRjK/6GPOWMQsOz9TBhoVYwUtq/Qxa4iVVba7d7INo8Tus=">www.example.com</a>":</p>
<p>Suppose their IP addresses are:</p>
<blockquote>A = 192.0.2.10<br>
B = 192.0.2.20<br>
C = 192.0.2.30<br>
</blockquote>
<p>Then, if I'm not mistaken, you could create 3 RPZ zones:</p>
<p>Zone file for "a.rpz.mylocaldomain.com" contains (in addition to SOA, etc):</p>
<blockquote>; Don't overwrite the answer for queries received from clients B & C<br>
32.20.2.0.192.rpz-client-ip IN CNAME rpz-passthru.<br>
32.30.2.0.192.rpz-client-ip IN CNAME rpz-passthru.<br>
<br>
; Change the answer to the question <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.com%2F&data=05%7C01%7C%7C589fe7de17b74f5572de08da35419bf7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637880853152782803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lqcfFw8mM%2B5e9NEVLBLArSYuFjY6uZMRteO7BRyvlDU%3D&reserved=0" data-auth="Verified" class="x_moz-txt-link-abbreviated" originalsrc="http://www.example.com/" shash="sCj8SK7AaxMHXLh4pf/8n2OhuRd8jQqK4EINUJmoVLCdstlQd3EjnlZ3mASHc4DyCEM3dnSgBG81/EDGtkaFojs6lQmi+kqWJnEn725TgIJAPrqQ01dS43a2PcaFWeRjK/6GPOWMQsOz9TBhoVYwUtq/Qxa4iVVba7d7INo8Tus=">
www.example.com</a><br>
<a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.com%2F&data=05%7C01%7C%7C589fe7de17b74f5572de08da35419bf7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637880853152782803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lqcfFw8mM%2B5e9NEVLBLArSYuFjY6uZMRteO7BRyvlDU%3D&reserved=0" data-auth="Verified" class="x_moz-txt-link-abbreviated" originalsrc="http://www.example.com/" shash="sCj8SK7AaxMHXLh4pf/8n2OhuRd8jQqK4EINUJmoVLCdstlQd3EjnlZ3mASHc4DyCEM3dnSgBG81/EDGtkaFojs6lQmi+kqWJnEn725TgIJAPrqQ01dS43a2PcaFWeRjK/6GPOWMQsOz9TBhoVYwUtq/Qxa4iVVba7d7INo8Tus=">www.example.com</a>
 IN A 10.0.0.1<br>
</blockquote>
<p>Zone file for "b.rpz.mylocaldomain.com" contains (in addition to SOA, etc):</p>
<blockquote>; Don't overwrite the answer for queries received from clients A & C<br>
32.10.2.0.192.rpz-client-ip IN CNAME rpz-passthru.<br>
32.30.2.0.192.rpz-client-ip IN CNAME rpz-passthru.<br>
<br>
; Change the answer to the question <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.com%2F&data=05%7C01%7C%7C589fe7de17b74f5572de08da35419bf7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637880853152782803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lqcfFw8mM%2B5e9NEVLBLArSYuFjY6uZMRteO7BRyvlDU%3D&reserved=0" data-auth="Verified" class="x_moz-txt-link-abbreviated" originalsrc="http://www.example.com/" shash="sCj8SK7AaxMHXLh4pf/8n2OhuRd8jQqK4EINUJmoVLCdstlQd3EjnlZ3mASHc4DyCEM3dnSgBG81/EDGtkaFojs6lQmi+kqWJnEn725TgIJAPrqQ01dS43a2PcaFWeRjK/6GPOWMQsOz9TBhoVYwUtq/Qxa4iVVba7d7INo8Tus=">
www.example.com</a><br>
<a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.com%2F&data=05%7C01%7C%7C589fe7de17b74f5572de08da35419bf7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637880853152782803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lqcfFw8mM%2B5e9NEVLBLArSYuFjY6uZMRteO7BRyvlDU%3D&reserved=0" data-auth="Verified" class="x_moz-txt-link-abbreviated" originalsrc="http://www.example.com/" shash="sCj8SK7AaxMHXLh4pf/8n2OhuRd8jQqK4EINUJmoVLCdstlQd3EjnlZ3mASHc4DyCEM3dnSgBG81/EDGtkaFojs6lQmi+kqWJnEn725TgIJAPrqQ01dS43a2PcaFWeRjK/6GPOWMQsOz9TBhoVYwUtq/Qxa4iVVba7d7INo8Tus=">www.example.com</a>
 IN A 10.0.0.2<br>
</blockquote>
<p>Zone file for "c.rpz.mylocaldomain.com" contains (in addition to SOA, etc):</p>
<blockquote>; Don't overwrite the answer for queries received from clients A & B<br>
32.10.2.0.192.rpz-client-ip IN CNAME rpz-passthru.<br>
32.20.2.0.192.rpz-client-ip IN CNAME rpz-passthru.<br>
<br>
; Change the answer to the question <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.com%2F&data=05%7C01%7C%7C589fe7de17b74f5572de08da35419bf7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637880853152782803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lqcfFw8mM%2B5e9NEVLBLArSYuFjY6uZMRteO7BRyvlDU%3D&reserved=0" data-auth="Verified" class="x_moz-txt-link-abbreviated" originalsrc="http://www.example.com/" shash="sCj8SK7AaxMHXLh4pf/8n2OhuRd8jQqK4EINUJmoVLCdstlQd3EjnlZ3mASHc4DyCEM3dnSgBG81/EDGtkaFojs6lQmi+kqWJnEn725TgIJAPrqQ01dS43a2PcaFWeRjK/6GPOWMQsOz9TBhoVYwUtq/Qxa4iVVba7d7INo8Tus=">
www.example.com</a><br>
<a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.com%2F&data=05%7C01%7C%7C589fe7de17b74f5572de08da35419bf7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637880853152782803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lqcfFw8mM%2B5e9NEVLBLArSYuFjY6uZMRteO7BRyvlDU%3D&reserved=0" data-auth="Verified" class="x_moz-txt-link-abbreviated" originalsrc="http://www.example.com/" shash="sCj8SK7AaxMHXLh4pf/8n2OhuRd8jQqK4EINUJmoVLCdstlQd3EjnlZ3mASHc4DyCEM3dnSgBG81/EDGtkaFojs6lQmi+kqWJnEn725TgIJAPrqQ01dS43a2PcaFWeRjK/6GPOWMQsOz9TBhoVYwUtq/Qxa4iVVba7d7INo8Tus=">www.example.com</a>
 IN A 10.0.0.3<br>
</blockquote>
<p>And then configure BIND to use all three RPZs:</p>
<blockquote>
<p>response-policy {<br>
    zone "a.rpz.mylocaldomain.com"; <br>
    zone "b.rpz.mylocaldomain.com"; <br>
    zone "c.rpz.mylocaldomain.com"; <br>
};<br>
</p>
</blockquote>
<p></p>
<p></p>
<p>Scalability is obviously a challenge with this particular solution! :-(<br>
</p>
<p>So on reflection, there are probably better solutions to the problem that you are trying to solve. Although I don't personally have experience with it, wonder if "dnsmasq" might do what you need?<br>
</p>
<p>Thanks,<br>
</p>
<p>Nick.<br>
</p>
</div>
</body>
</html>