Here is the RPZ draft: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00 Here are references in the ARM showing how to use it in BIND: https://bind9.readthedocs.io/en/stable/chapter6.html#enter-rpz https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting
I hope that helps. Cheers, Greg On Sat, 22 Nov 2025 at 17:16, Chunhui Ouyang <[email protected]> wrote: > I know, so I'm just hoping for some introductory examples, like some > simple configurations, but that's okay, I'll find them myself. Thanks. I > originally wanted to write a plugin, but for plugins, I'd like some > introductory examples, like how I should build the most basic project > without depending on config.h or... If it must be compiled within the tree, > how should I build a tree-based plugin that can compile correctly? Because > it currently throws an error without including config.h. > > * Ondřej Surý <[email protected]> [2025-11-22 :08:39]: > > > I think you are mistaking open source with free labor. > > > > It’s your client and your commercial contract, I gave you pointers, how > you handle these it is entire up to you, but don’t expect people here to do > this proprietary job for you for free. > > > > Ondrej > > -- > > Ondřej Surý — ISC (He/Him) > > > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > > > > On 22. 11. 2025, at 17:15, Chunhui Ouyang <[email protected]> wrote: > > > > > > I see it, but I still have two questions: > > > > > > 1. The client says there might be hundreds of thousands of IPs that > need to be matched, so I need a convenient process to match these addresses. > > > > > > 2. Can you tell me how to write RPG entries? > > > > > > * Ondřej Surý <[email protected]> [2025-11-22 :38:03]: > > > > > >> I already gave you the links to the documentation and the tutorial > below. Have you looked at these? > > >> > > >> -- > > >> Ondřej Surý (He/Him) > > >> [email protected] > > >> > > >> My working hours and your working hours may be different. Please do > not feel obligated to reply outside your normal working hours. > > >> > > >>>> On 22. 11. 2025, at 15:40, Chunhui Ouyang <[email protected]> > wrote: > > >>> > > >>> Can you give me an example? > > >>> > > >>> * Ondřej Surý <[email protected]> [2025-11-22 :34:48]: > > >>> > > >>>> RPZ already has the functionality that you’ve described below. > There’s no need to write a new plugin for this. > > >>>> > > >>>> Ondrej > > >>>> -- > > >>>> Ondřej Surý — ISC (He/Him) > > >>>> > > >>>> My working hours and your working hours may be different. Please do > not feel obligated to reply outside your normal working hours. > > >>>> > > >>>>> On 22. 11. 2025, at 14:43, Chunhui Ouyang <[email protected]> > wrote: > > >>>>> > > >>>>> What's the meaning? > > >>>>> > > >>>>> * Ondřej Surý <[email protected]> [2025-11-22 :25:08]: > > >>>>> > > >>>>>> Sorry, actually, not RPZ-CLIENT-IP, it is just RPZ-IP triggering > rule. > > >>>>>> > > >>>>>> Ondrej > > >>>>>> -- > > >>>>>> Ondřej Surý (He/Him) > > >>>>>> [email protected] > > >>>>>> > > >>>>>> My working hours and your working hours may be different. Please > do not feel obligated to reply outside your normal working hours. > > >>>>>> > > >>>>>>>> On 22. 11. 2025, at 14:22, Ondřej Surý <[email protected]> wrote: > > >>>>>>> > > >>>>>>>> It will filter DNS resolution requests and match the IP record > of any domain name against a given list; if a match is found, it will force > the return of the given IP. > > >>>>>>> > > >>>>>>> > > >>>>>>> You mean like RPZ-CLIENT-IP? > > >>>>>>> > > >>>>>>> https://www.isc.org/rpz/ > > >>>>>>> and > > >>>>>>> https://www.isc.org/docs/BIND_RPZ.pdf > > >>>>>>> > > >>>>>>> ? > > >>>>>>> > > >>>>>>> Ondrej > > >>>>>>> -- > > >>>>>>> Ondřej Surý (He/Him) > > >>>>>>> [email protected] > > >>>>>>> > > >>>>>>> My working hours and your working hours may be different. Please > do not feel obligated to reply outside your normal working hours. > > >>>>>>> > > >>>>>> > > >>>>> <signature.asc> > > >>>> > > >> > > > <signature.asc> > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list. >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
