allow and deny can be in a single rpz file. Example: I'm retrieving (daily) the most abused top level domains, parsing them into an rpz file from https://www.spamhaus.org/statistics/tlds/. Some domains I use however need to be allowed. Todays RPZ looks like this (and it works):
$TTL 30 @ SOA jpgpi250.github.io. hostmaster.jpgpi250.github.io. 2211241509 86400 1800 604800 30 NS localhost. ; *.surf CNAME . *.fit CNAME . *.ml CNAME . *.top CNAME . *.cyou CNAME . *.gq CNAME . *.cn CNAME . *.live CNAME . *.ga CNAME . *.cf CNAME . neofusgate.samsung.com.cn CNAME rpz-passthru. dcs-vod.mp.lura.live CNAME rpz-passthru. drm.mp.lura.live CNAME rpz-passthru. the unbound configuration looks like this: rpz: name: tld zonefile: zonefiles/tld.zone url: http://127.0.0.1/tld.rpz # no rpz-action-override here (exceptions - rpz-passthru) # rpz-action-override: nxdomain rpz-signal-nxdomain-ra: yes rpz-log: yes rpz-log-name: tld
