On 8/27/19, Tony Finch <d...@dotat.at> wrote: > Lee <ler...@gmail.com> wrote: >> >> Can someone please explain why using this as my rpz zone does NOT >> block everything for *.2o7.net? >> >> 2o7.net CNAME . >> *.2o7.net CNAME . >> bcbsks.com.102.112.2o7.net CNAME . > > I suspect this is RPZ obeying the weird semantics of DNS wildcard > matching. The * only matches if the answer would otherwise be NXDOMAIN > (the name does not exist). The weirdness happens when there are subdomains > that exist, because any parent names are NODATA (the name exists but has > no records of the query type) which suppresses wildcard matching. > > So the third CNAME causes com.102.112.2o7.net and 102.112.2o7.net and > 112.2o7.net to exist, so any names under those domains do not match the > wildcard. In your example appleglobal.112.2o7.net is under 112.2o7.net so > it doesn't match. > > For the long explanation see > https://tools.ietf.org/html/rfc4592 - The Role of Wildcards in the Domain > Name System > https://tools.ietf.org/html/rfc8020 - NXDOMAIN: There Really Is Nothing > Underneath
Thank you! I posted a similar question on the dns firewall list http://lists.redbarn.org/pipermail/dnsfirewalls/2019-August/000367.html hopefully the rfcs you listed will help me understand the 'empty non-terminals' thing Regards, Lee _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users