>> We maintain a block list with RPZ on our BIND resolvers. I noticed that >> the RPZ policy action does not apply for domain names which SERVFAIL >> (i.e. cannot be resolved by the resolver because of a timeout, lame >> delegation etc.). > > RPZ applies to responses not queries. > > You can override this with "qname-wait-recurse" IIRC.
Thank you, that works for BIND >= 9.10. Though, I question the usefulness of this option because of the following restriction: "The option does not affect QNAME or client-IP triggers in policy zones listed after other zones containing IP, NSIP and NSDNAME triggers, because those may depend on the A, AAAA, and NS records that would be found during recursive resolution." source ARM In my case, the first zone is a white list zone which also contains an IP trigger, thus qname-wait-recurse has no effect on the following malicious zones. Daniel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users