On Wed, 2012-12-05 at 09:13 +0000, Phil Mayers wrote: > On 12/04/2012 06:35 PM, Barry S. Finkel wrote: > > > A question from the OP that has not yet been answered - > > Make the zones masters on all servers. > > Surely not for RPZ? The whole point with RPZ is that you have one zone > containing all the blacklists, master in one place, and slave it in all > the others. > > For traditional DNS blacklisting (one zone per blacklisted name/suffix) > sure, but I'm honestly not sure why anyone would start out down that > road today with RPZ available. > _
response times would be a good reason an RPZ zone still goes through the motions forged (local empty) zone: dig mmmm.xxxtoolbar.com <snip> ;; Query time: 0 msec (all local zones hte same , 0 msec) RPZ: dig bobi.at ;; Query time: 996 msec (avg response time it seems for RPZ'd zones) So it sure as hell doesnt work the same as a forged "empty" zones RPZ is awesome if you want to wallgarden a hostname, but for just speedy dropping, empty zone beats it hands down even if it is messier requiring its own zone.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
