On Fri, 2013-06-21 at 17:11 +0100, John Horne wrote:

> My understanding is that RPZ can do this, but I just cannot seem to
> configure the RPZ zone file to enable this. The zone file contains:
> =====
> $TTL 1H
> @                       SOA LOCALHOST. hostmaster.plymouth.ac.uk (1 1h
> 15m 30d 2h)
>                         NS  LOCALHOST.
> dns1.plymouth.ac.uk.rpz-nsdomain        CNAME   *.
> =====
Hmm, I have just noticed that ARM says:

NSDNAME triggers match names of authoritative servers for the query
name, a parent of the query name, a CNAME for query name, or a parent of
a CNAME. They are encoded as subdomains of rpz-nsdomain relativized to
the RPZ origin name.

But the example zone file further down the page has the example:

   ns.domain.com.rpz-nsdname   CNAME   .

So is 'rpz-nsdomain' wrong then in the zone file and 'rpz-nsdname'
should be used instead?

If I modify my zone file above to use 'rpz-nsdname' then the 'dig'
command gets a NXDOMAIN response. If I use '.' as the rdata I get a
NOERROR response but no ANSWER section, just an AUTHORITY section with
the RPZ zone SOA in it.


John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Reply via email to