> From: Chris Buxton <cli...@buxtonfamily.us> > If a name exists in the response policy, and also exists in the real > Internet namespace, the value from the policy is returned. But if it > doesn't exist out on the Internet, then the value is not returned -- > an NXDOMAIN (or SERVFAIL, or whatever) is returned instead. > > I've known this for a while but haven't understood why it is thus. > Today, it has become a problem for me. If I set a policy of "this > name gets response X", I expect that policy to be used rather than > "this name gets response X unless it doesn't exist out on the > Internet or can't be resolved due to an error."
RPZ stands for "response policy zone" and concerns rewriting responses instead of queries. The answer section of an NXDOMAIN or SERFVAIL response does not contain a domain name that could trigger rewriting. Rewriting queries instead of responses would fail to rewrite CNAME chains. Even when the unrewritten response is an error such as NXDOMAIN, an RPZ action can be triggered by the name or address of any NS RR that is authoritative for the response and that is found in glue or otherwise. Previous versions of the RPZ mechanism in BIND required ./configure settings to enable rpz-nsip and rpz-nsdname rules. They are enabled by default in future released versions of BIND as well as the speed-up patches that can found by following the link labeled "Patch files for BIND9" on http://www.redbarn.org/dns/ratelimits Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
