Eh? I don't understand this. Response Policy Zones are /zones/, as the
nomenclature implies: they are maintained, transferred, managed with zone
handling machinery.
On Wed, 23 Oct 2019, julien soula wrote:
On Wed, Oct 23, 2019 at 10:21:08PM +0500, Andrey Geyn wrote:
In my test (I have BIND 9.11.3-1ubuntu1.9-Ubuntu) I have following named.conf:
"""
options {
response-policy {zone "rpz"; };
}
zone "rpz" {
type master;
file "/etc/bind/rpz.zone";
};
RPZ zone is only use internally to Bind. It doesn't need to be
resolvable outside. So you can skip the zone declaration.
If you need zone declaration (cause you have slaves for this zone),
you can restrict access to it by adding "allow-query { slaves... };"
on master and "allow-query {};" on slaves.
Probably doesn't need to be queryable by the outside world, no. But this
doesn't indicate what access controls are or are not in place. I can
assure you that on the machine that masters my RPZ, I update it with
dynamic updates (that's what net-dns.pl does), and it's declared just
about like that.
It is handy to be able to query the RPZ as a legitimate zone for debugging
and management purposes, case in point.
--
Fred Morris
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
