<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>I hadn't had enough coffee when I wrote that. I was doing
in-addr.arpa translation in my head and confusing what was the TLD
of the query being submitted. If a customer is stupid enough to
ask for an A-record for 10.1.2.3, then the TLD of that name is
"3", not "10" . . duh. <br>
</p>
<p>So to make the RPZ work, I needed to stuff the zone file with 256
new entries. I did this by dusting off my knowledge of the
GENERATE directive (which involved RTFM):</p>
<blockquote>
<p>$GENERATE 0-255 *.$ CNAME .</p>
</blockquote>
<p>I also needed to populate the "validate-except" option with 256
new entries. I could find no elegant way to generate, abstract, or
'include' this, so just needed to put the long string of
characters inline:</p>
<blockquote>
<p>0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; . . .</p>
</blockquote>
<p>and it now behaves as desired; returning an unvalidated NXDOMAIN
for queries for ip addresses.<br>
</p>
<pre class="moz-signature" cols="72">--
Do things because you should, not just because you can.
John Thurston 907-465-8591
<a class="moz-txt-link-abbreviated" href="mailto:John.Thurston@alaska.gov">John.Thurston@alaska.gov</a>
Department of Administration
State of Alaska</pre>
<div class="moz-cite-prefix">On 1/25/2023 8:36 AM, John Thurston
wrote:<br>
</div>
<blockquote type="cite" cite="mid:abff327a-4218-da92-6fed-454ecec09148@alaska.gov">
<p>Off-list, it was suggested to me that I _could_ handle this in
my RPZ, by enumerating all 255 illegal TLDs (e.g. *.10 CNAME .
)</p>
<p>I tried this, and it works as expected when dnssec validation
is disabled (either globally, or with "validate-except". My idea
right now is I can enumerate TLD of the numerics I see in my
logs, and ignore the rest. I think this will get me what I want,
at a level of complexity I can accept.</p>
</blockquote>
</body>
</html>