Re: Selective filtering of multi-address answers

[Kevin Darcy]

**Configure sortlists to push those bad A records to the end of the 
response. This may on the surface seem like a kludge, but remember, the 
whole point of sortlists is to give preference to certain addresses over 
others, and IMO, a working/reachable address is "preferred" over one 
that isn't working or isn't reachable :-)

                                                                        
                                                                        
                                    - Kevin
On 6/9/2012 11:23 PM, Andris Kalnozols wrote:
I have the following issue:
  * A domain name which our organization does not control is used
    for authentication.  It returns 40 A records which point to
    various MS Active Directory servers throughout the company.

  * A few of these A records point to non-functioning hosts and
    cause delays for clients which have the bad luck to encounter
    a bad server as the first A record in their DNS response.

The BIND 9.9.1 ARM describes two methods of content filtering:

  deny-answer-addresses
  ---------------------
  This is an all-or-nothing feature that returns a SERVFAIL response
  if *any* address in its match list is returned in the answer
  section.  No selective filtering seems possible.

  response-policy
  ---------------
  I configured a simple RPZ as follows:

     options {
              ...
              response-policy (zone "hpl-rpz"; };
     };
     zone "hpl-rpz" {
             type master;
             file "db.hpl-rpz";
             allow-query { localhost; };
     };

  The RPS zone has the following policy records:

    32.121.184.205.16.rpz-ip       CNAME   *.           ; NODATA
    32.24.52.228.16.rpz-ip         CNAME   *.
    8.0.0.0.16.rpz-ip              CNAME   8.0.0.0.16.  ; PASSTHRU

  Again, this functions as an all-or-nothing filter with or without
  the passthru record.  A NODATA response is returned for the domain
  name instead of an answer with 38 good A records.

I don't want to go down the road of hardcoding my resolvers to be
authoritative for this domain name.  Is RPZ or some other BIND
feature capable of telling little white lies of omission or just
big whoppers when it comes to domain names with multiple addresses?

------
Andris

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users