Hi list, I'm writing this email to ask if the changes I detected in bind behaviour are as expected or I'm facing some unexpected behaviour.
I searched for this, without success, so now I'm posting this issue I
found between bind versions, 9.14.5 and 9.16.3.
I have an old testing machine running bind 9.14.5 with RPZ zones. The
first one (rpz1) is working as an whitelist and the second one (rpz2)
is automatic populated, as you can check in config bellow:
response-policy {
zone "rpz1";
zone "rpz2";
} qname-wait-recurse no break-dnssec yes;
For example, in rpz1 zone I have something like this:
test.com IN CNAME rpz-passthru.
*.test.com IN CNAME rpz-passthru.
And, for example, in rpz2 zone, which are automatic populated, at same
point may have:
tst.test.com IN CNAME secure.test.
*.tst.test.com IN CNAME secure.test.
when this config is running on the machine with bind 9.14.5, if you
query it for tst.test.com, it simply passthru it because it match on
the rpz1 zone (*.test.com), acting as whitelist as expected.
If I run the same query on a new machine with bind 9.16.3, running the
same config, it will rewrite it to secure.test, matching it in the rpz2
zone.
Is this second result (on the last version) the expected behaviour?
What version are deviating from the expected one?
Best regards,
Paulo
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
