Thank you, Bob. Unfortunately, records are generated by my users, not by me, so I can't change them as I want.
Thanks again for your time and detailed explanation. Andrey. 24.10.2019, 19:53, "Bob Harold" <rharo...@umich.edu>: > On Thu, Oct 24, 2019 at 9:20 AM Andrey Geyn <andg...@yandex-team.ru> wrote: >> Hi, Bob, thank you for response! >> >> What if I want to make following configuration (as an example): >> >> domain.com A 10.10.10.10 >> *.domain.com CNAME domain.com >> >> I don't want to write 10.10.10.10 twice, I want to use magic of CNAME's here. > > Sorry, that is not how RPZ was designed to work. > You can make the second one: > *.domain.com CNAME my10.realdomain.com. > Where there is a real domain (not the RPZ domain) with: > my10.realdomain.com. A 10.10.10.10 > > Or make them both "A" records. Or both CNAME. But one RPZ entry cannot > point to another. > Use scripts to automate the process, if you don't want to enter 10.10.10.10 > twice. > > p.s. The decision not to re-lookup the results of RPZ lookups is probably > for speed and to avoid loops. Trying to patch around that is not a good idea. > > -- > Bob Harold > >>> Do you want cname.domain.com to point to 10.10.10.10? Then use an A record >>> to 10.10.10.10. >> This sentence sounds like «CNAME are useless at all» :-). Do you want some >> domain to point to some address? The use an A record, not CNAME! >> >> Additionally, I already use patched version of BIND. Maybe it is possible to >> make some patch for allowing this behaivor? >> >> Andrey >> >> 24.10.2019, 18:06, "Bob Harold" <rharo...@umich.edu>: >>> On Wed, Oct 23, 2019 at 10:34 AM Andrey Geyn <andg...@yandex-team.ru> wrote: >>>> Hello, I would like to set up RPZ with CNAME and A. There are two options: >>>> >>>> 1. >>>> cname.domain.com CNAME test.domain.com (without trailing dot) >>>> test.domain.com A 10.10.10.10 >>> >>> There is a misunderstanding here. You would never redirect a domain in RPZ >>> to another domain in RPZ. >>> Domains in RPZ must always be redirected to a real domain. You cannot >>> point it to the wrong place, and then expect it to be redirected again. It >>> does not work that way. >>> Those two RPZ entries are completely separate. >>> Do you want cname.domain.com to point to 10.10.10.10? Then use an A record >>> to 10.10.10.10. >>> Do you want cname.domain.com to point to some real domain name (probably a >>> name you control, like a walled garden, or error page)? Then CNAME to that >>> real name. >>> >>> -- >>> Bob Harold >>> >>>> In this case I receive >>>> >>>> # dig cname.domain.com @127.0.0.1 >>>> ... >>>> cname.domain.com. 5 IN CNAME test.domain.com.rpz. >>>> test.domain.com.rpz. 3600 IN A 10.10.10.10 >>>> ... >>>> >>>> So, it looks good, but RPZ name is visible, which is unwanted for me. >>>> >>>> 2. >>>> cname.domain.com CNAME test.domain.com. (with trailing dot) >>>> test.domain.com A 10.10.10.10 >>>> >>>> In this case I receive >>>> >>>> # dig cname.domain.com @127.0.0.1 >>>> cname.domain.com. 5 IN CNAME test.domain.com. >>>> test.domain.com. 531 IN A 66.96.162.92 >>>> >>>> (66.98.162.92 is real, «internet» address of test.domain.com) >>>> >>>> Is it possible to make configuration for internal CNAME's in RPZ in which >>>> RPZ name will be not visible to user? >>>> >>>> Best regards, >>>> Andrey Geyn >>>> _______________________________________________ >>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>>> unsubscribe from this list >>>> >>>> bind-users mailing list >>>> bind-users@lists.isc.org >>>> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
