Lee <ler...@gmail.com> wrote: > > Can someone please explain why using this as my rpz zone does NOT > block everything for *.2o7.net? > > 2o7.net CNAME . > *.2o7.net CNAME . > bcbsks.com.102.112.2o7.net CNAME .
I suspect this is RPZ obeying the weird semantics of DNS wildcard matching. The * only matches if the answer would otherwise be NXDOMAIN (the name does not exist). The weirdness happens when there are subdomains that exist, because any parent names are NODATA (the name exists but has no records of the query type) which suppresses wildcard matching. So the third CNAME causes com.102.112.2o7.net and 102.112.2o7.net and 112.2o7.net to exist, so any names under those domains do not match the wildcard. In your example appleglobal.112.2o7.net is under 112.2o7.net so it doesn't match. For the long explanation see https://tools.ietf.org/html/rfc4592 - The Role of Wildcards in the Domain Name System https://tools.ietf.org/html/rfc8020 - NXDOMAIN: There Really Is Nothing Underneath Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Irish Sea: South veering west 3 to 5, increasing 6 for a time. Slight, occasionally moderate. Rain. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
