On Thu, Jan 10, 2013 at 11:17 AM, Jan Gutter <j...@lucidview.net> wrote:
> Thanks for the suggestions!
>
> I'm currently investigating two options: the local view and forwarded
> zones, and I'm going to check out if I can write a fast DLZ lookup to
> share the RPZ zones between the views. Caching is not a big problem
> here, the "shared zones" should only change about once per month.
> However, it seems RPZ doesn't like "forward" type zones in the
> response-policy stanza. I have a nasty feeling I'm missing something
> obvious, though.
Hah, after a bit of source-code examination and googling, I found the
following paragraph:
3.2. Designated RPZs must be primary or secondary zones, since RPZs
cannot be queried on the wire, only searched in the recursive server's
own storage. A "zone" statement must therefore be given for the RPZ,
with all necessary "masters" clauses, each having all necessary "key"
subclauses. It is often a good idea to include "allow-query {none;};"
in the zone statement to refuse ordinary, non-rewriting queries of the
policy data.
quoted from ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
I guess I'm going to have to investigate the DLZ option then.
(Un)Fortunately, some other priority work has come up, so I'm just
adding more RAM for a stop-gap and will look at it again in a month or
so.
http://xkcd.com/979/
Thanks again for all your feedback!
Jan Gutter
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
