Hello,
On 07.11.25 12:52, Crist Clark wrote:
I still don't understand why an RPZ entry of,
10.zz.fe80. IN CNAME *.
Doesn't work for you. Is there a reason you just want to block IPv6 LL
addresses for this domain but allow for others?
There's one more reason - in of domain pointing to linklocal address space,
I believe it's better to block access to the domain at proxy level (as done
by default).
I needed to allow this one particular domain, the rest would better be blocked
as suspicious.
On 07.11.25 19:11, Lee wrote:
because it's missing rpz-ip?
I've got
; return NXDOMAIN for any ipv6 link local address answer
10.zz.fe80.rpz-ip CNAME . ; FE80::/10
and it doesn't work for me :(
On 09.11.25 09:10, Nick Tait via bind-users wrote:
This works for me (BIND 9.20.11):
10.zz.fe80.rpz-ip IN CNAME *.
(You need to rewrite using NODATA, rather than NXDOMAIN.)
Thanks guys, you helped me.
I've had to search for some more complete description to RPZ so I could feed
like I know what I'm doing.
Searching the internet for "rpz dns" produced many results describing what
does it do, but not many of them gave detailed list of options..
Searching for "bind rpz" produced this document:
https://www.isc.org/docs/BIND_RPZ.pdf
- which unfortunately shows "ns-ip" instead of "rpz-ip" which quite confused me.
Looking at section 6.9 of the ARM produces the teoretical information I
found insufficient when browsing the net.
Finally, the docs are buried in BIND arm REFERENCE (8.2.3.15)
https://bind9.readthedocs.io/en/latest/reference.html#response-policy-zone-rpz-rewriting
and I can confirm this works, although globally for all responses.
Thanks for cooperation.
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
