subject:"RPZ rule to apply to NS record requests\?"

Re: RPZ rule to apply to NS record requests?

2021-11-16 Thread John Thurston




On 11/16/2021 2:41 AM, Tony Finch wrote:

John Thurston  wrote:


If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer
to be sent for a specific record-type for a specific name:

foo.bar.com  IN  A  10.11.12.13
foo.bar.com  IN TXT "Hello World"

But I can't seen to define one for the record-type NS

Is this possible?


The RPZ documentation doesn't say you can't include NS records as "local
data", but I guess you might trip over BIND's checks for what makes sense
at a zone cut: in a normal zone you can't have A and TXT and NS at the
same name (unless it's the zone apex).

But even if it did work, it's unlikely to do what you want. (You didn't
say why you want NS records so that's a somewhat risky assumption...)


TLDR; I'm trying to cover up someone else's mess


I didn't describe the reason because it is painful.

We use products from Major Software (hereafter referred to as MS). They 
use DNS to provide pointers to public and private versions of similar 
services. These pointers are served from public or private authoritative 
servers owned and operated by MS. The zones defined on the public 
authorities contain both SOA and NS records for each zone. The zones 
defined on the private authorities have only the SOA records.


Per RFC, an SOA and NS are the minimal records required of a zone. When 
we define forward-zones in our internal resolvers (e.g. Please send 
queries for these private names directly to this MS resolver), our 
automated monitoring system goes berserk. "Danger! Danger! The zone 
privatelink.MS.net is invalid! It has no NS record!! Danger! Something 
is wrong! Stop forwarding! Call the Authorities!"


I recognize MS probably doesn't care they are serving up an invalid 
zone. I also recognize that my bosses probably are not going to quit 
using products and services from MS. I don't want to try to dismantle 
(or cripple) the monitoring system which is keeping an eye on all the 
other zones for which we forward. I'm, therefore, left trying to imagine 
someway to abuse something in my control so my monitoring system doesn't 
notice these private MS zones are invalid.


I had _hoped_ I could use an RPZ to say:
  privatelink.MS.net  IN  NS  127.0.0.1

My monitoring system would query DNS, find the SOA (from the real 
authorities) and an NS (from my RPZ) and go away happy.


I recognize that the correct answer is to convince MS to correctly 
publish their private zones. But after a couple of decades of working 
with products from Major Software, I have more confidence I'll score on 
the next Powerball than they will acknowledge the deficiency (let alone 
consider correcting it).







--
Do things because you should, not just because you can.

John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ rule to apply to NS record requests?

2021-11-16 Thread Tony Finch

John Thurston  wrote:

> If I have a Reverse Policy Zone (RPZ) defined, I can define a specific answer
> to be sent for a specific record-type for a specific name:
>
>foo.bar.com  IN  A  10.11.12.13
>foo.bar.com  IN TXT "Hello World"
>
> But I can't seen to define one for the record-type NS
>
> Is this possible?

The RPZ documentation doesn't say you can't include NS records as "local
data", but I guess you might trip over BIND's checks for what makes sense
at a zone cut: in a normal zone you can't have A and TXT and NS at the
same name (unless it's the zone apex).

But even if it did work, it's unlikely to do what you want. (You didn't
say why you want NS records so that's a somewhat risky assumption...)
In typical setups, RPZ is deployed on recursive servers, whose clients are
basically all stub resolvers. Stubs don't do anything special with NS
records, and they almost never make NS queries. So normally, using RPZ to
substitue NS records will not have any useful effect.

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Mull of Galloway to Mull of Kintyre including the Firth of Clyde and
North Channel: Southwesterly veering westerly, 5 or 6. Slight or
moderate, occasionally rough near Mull of Kintyre. Rain then showers.
Good, occasionally moderate at first.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RPZ rule to apply to NS record requests?

2021-11-15 Thread John Thurston

If I have a Reverse Policy Zone (RPZ) defined, I can define a specific 
answer to be sent for a specific record-type for a specific name:


   foo.bar.com  IN  A  10.11.12.13
   foo.bar.com  IN TXT "Hello World"

But I can't seen to define one for the record-type NS

Is this possible?


--
--
Do things because you should, not just because you can.

John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ rule to apply to NS record requests?

Re: RPZ rule to apply to NS record requests?

RPZ rule to apply to NS record requests?

3 matches

Site Navigation

Mail list logo

Footer information