On Fri, 2013-06-21 at 17:11 +0100, John Horne wrote: > > My understanding is that RPZ can do this, but I just cannot seem to > configure the RPZ zone file to enable this. The zone file contains: > ===== > $TTL 1H > @ SOA LOCALHOST. hostmaster.plymouth.ac.uk (1 1h > 15m 30d 2h) > NS LOCALHOST. > > dns1.plymouth.ac.uk.rpz-nsdomain CNAME *. > ===== > Hmm, I have just noticed that ARM says:
====== NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. They are encoded as subdomains of rpz-nsdomain relativized to the RPZ origin name. ====== But the example zone file further down the page has the example: ns.domain.com.rpz-nsdname CNAME . So is 'rpz-nsdomain' wrong then in the zone file and 'rpz-nsdname' should be used instead? If I modify my zone file above to use 'rpz-nsdname' then the 'dig' command gets a NXDOMAIN response. If I use '.' as the rdata I get a NOERROR response but no ANSWER section, just an AUTHORITY section with the RPZ zone SOA in it. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users