Hi Andreas,
I think you need to add
*.com.allow-rpz.example. CNAME .
*.de.allow-rpz.example. CNAME rpz-passthru.
to the rpz.
Jan.
On 8/6/20, 6:27 PM, "Unbound-users on behalf of A. Schulze via Unbound-users"
<unbound-users-boun...@lists.nlnetlabs.nl on behalf of
unbound-users@lists.nlnetlabs.nl> wrote:
Hello,
I thought I could build a resolver allow only a limited set of domains to
resolve.
That set of allowed domains should come from an rpz.
unbound.conf:
server:
module-config: "respip validator iterator"
rpz:
name: "allow-rpz.example."
zonefile: "/tmp/allow-rpz.example"
/tmp/allow-rpz.example:
allow-rpz.example. SOA localhost. rpz.localhost. 1 43200 7200
2419200 3600
allow-rpz.example. NS localhost.
*.allow-rpz.example. CNAME .
com.allow-rpz.example. CNAME .
de.allow-rpz.example. CNAME rpz-passthru.
expectation:
QNAME=com will be answered with NXDOMAIN
QNAME=de will be answered with real data
QNAME=net/org/anything will be answered with NXDOMAIN
result:
QNAME=com is answered with NXDOMAIN
QNAME=de is answered with real data
QNAME=net/org/anything is answered with real data
reading https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00#section-4.2
let me believe, *.allow-rpz.example. would match any subdomain of "."
looks like unbound/RPZ don't think so.
Is this a bug, a feature or simply not possible (why?) with unbound's RPZ
implementation?
Are there other ways to build such a system?
Andreas
