Hi Job

On Fri, May 15, 2015 at 04:56:07PM +0200, Job wrote:
> Hello,
> 
> very interesting feature:
> 
> >>We have prepared a branch that adds an "rpz-skipzone." policy action
> >>that, when matched by the trigger, behaves as if the current policy zone
> >>is disabled, and proceeds to the next one. It is still in the early
> ><stages, but it may be released in 9.11.
> 
> But, actually there is a feature called "rpz-passthru".
> It is similar or something different?

rpz-passthru. skips further RPZ processing when that trigger matches.
rpz-skipzone. skips to the next policy zone in order.

So, for example, you could have a zone that looks like this:

zone1:

; move these specific clients to the next policy zone
32.z.y.x.w.rpz-client-ip IN CNAME rpz-skipzone.
32.d.c.b.a.rpz-client-ip IN CNAME rpz-skipzone.

; pass through all other addresses
0.0.0.0.0.rpz-client-ip IN CNAME rpz-passthru.

zone2:

; Handle clients that were moved here
0.0.0.0.0.rpz-client-ip IN ...

Right now the branch has not been reviewed yet. Once it is reviewed,
I'll let you know and you can try it from the master branch of BIND.
(It will not be backported to 9.10 as it's a new feature that's not
essential for DNS.)

                Mukund

Attachment: pgpxPIh2_Abn1.pgp
Description: PGP signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to