On Thu, Oct 24, 2019 at 9:20 AM Andrey Geyn <andg...@yandex-team.ru> wrote:
> Hi, Bob, thank you for response!
>
> What if I want to make following configuration (as an example):
>
> domain.com A 10.10.10.10
> *.domain.com CNAME domain.com
>
> I don't want to write 10.10.10.10 twice, I want to use magic of CNAME's
> here.
>
Sorry, that is not how RPZ was designed to work.
You can make the second one:
*.domain.com CNAME my10.realdomain.com.
Where there is a real domain (not the RPZ domain) with:
my10.realdomain.com. A 10.10.10.10
Or make them both "A" records. Or both CNAME. But one RPZ entry cannot
point to another.
Use scripts to automate the process, if you don't want to enter 10.10.10.10
twice.
p.s. The decision not to re-lookup the results of RPZ lookups is probably
for speed and to avoid loops. Trying to patch around that is not a
good idea.
--
Bob Harold
>
> > Do you want cname.domain.com to point to 10.10.10.10? Then use an A
> record to 10.10.10.10.
> This sentence sounds like «CNAME are useless at all» :-). Do you want some
> domain to point to some address? The use an A record, not CNAME!
>
> Additionally, I already use patched version of BIND. Maybe it is possible
> to make some patch for allowing this behaivor?
>
> Andrey
>
> 24.10.2019, 18:06, "Bob Harold" <rharo...@umich.edu>:
>
>
> On Wed, Oct 23, 2019 at 10:34 AM Andrey Geyn <andg...@yandex-team.ru>
> wrote:
>
> Hello, I would like to set up RPZ with CNAME and A. There are two options:
>
> 1.
> cname.domain.com CNAME test.domain.com (without trailing dot)
> test.domain.com A 10.10.10.10
>
>
> There is a misunderstanding here. You would never redirect a domain in
> RPZ to another domain in RPZ.
> Domains in RPZ must always be redirected to a real domain. You cannot
> point it to the wrong place, and then expect it to be redirected again. It
> does not work that way.
> Those two RPZ entries are completely separate.
> Do you want cname.domain.com to point to 10.10.10.10? Then use an A
> record to 10.10.10.10.
> Do you want cname.domain.com to point to some real domain name (probably
> a name you control, like a walled garden, or error page)? Then CNAME to
> that real name.
>
> --
> Bob Harold
>
>
>
>
> In this case I receive
>
> # dig cname.domain.com @127.0.0.1
> ...
> cname.domain.com. 5 IN CNAME test.domain.com.rpz.
> test.domain.com.rpz. 3600 IN A 10.10.10.10
> ...
>
> So, it looks good, but RPZ name is visible, which is unwanted for me.
>
> 2.
> cname.domain.com CNAME test.domain.com. (with trailing dot)
> test.domain.com A 10.10.10.10
>
> In this case I receive
>
>
> # dig cname.domain.com @127.0.0.1
> cname.domain.com. 5 IN CNAME test.domain.com.
> test.domain.com. 531 IN A 66.96.162.92
>
> (66.98.162.92 is real, «internet» address of test.domain.com)
>
>
> Is it possible to make configuration for internal CNAME's in RPZ in which
> RPZ name will be not visible to user?
>
> Best regards,
> Andrey Geyn
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
