I hadn't had enough coffee when I wrote that. I was doing in-addr.arpa
translation in my head and confusing what was the TLD of the query being
submitted. If a customer is stupid enough to ask for an A-record for
10.1.2.3, then the TLD of that name is "3", not "10" . . duh.
So to make the RPZ work, I needed to stuff the zone file with 256 new
entries. I did this by dusting off my knowledge of the GENERATE
directive (which involved RTFM):
$GENERATE 0-255 *.$ CNAME .
I also needed to populate the "validate-except" option with 256 new
entries. I could find no elegant way to generate, abstract, or 'include'
this, so just needed to put the long string of characters inline:
0; 1; 2; 3; 4; 5; 6; 7; 8; 9; 10; 11; 12; . . .
and it now behaves as desired; returning an unvalidated NXDOMAIN for
queries for ip addresses.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 1/25/2023 8:36 AM, John Thurston wrote:
Off-list, it was suggested to me that I _could_ handle this in my RPZ,
by enumerating all 255 illegal TLDs (e.g. *.10 CNAME . )
I tried this, and it works as expected when dnssec validation is
disabled (either globally, or with "validate-except". My idea right
now is I can enumerate TLD of the numerics I see in my logs, and
ignore the rest. I think this will get me what I want, at a level of
complexity I can accept.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
