> From: "Lawrence K. Chen, P.Eng." <lkc...@ksu.edu> > ... So, being able to filter out these 'bad' things when responding > queries against that data might be a good thing.
RPZ might be used for such things. However, by design RPZ rewrites entire responses. It is triggered by individual records in a response, but changes the entire response and not just individual records within the response. To use RPZ for such filtering, you would probably use views with a response-policy{} statement in the external view to be filtered. The RPZ rules could be triggered by rpz-ip records for 10.0.0.0/8 or similar. The rules might rewrite responses to a CNAME or to sets of A and AAAA records suitable for outsiders. That sounds a lot more fragile and error prone than distinct zones for insiders and outsiders specified in the view statements. However, RPZ might be good as a failsafe against leaks (perhaps rewriting to NXDOMAIN). Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users