Hello Paulo, I noticed the same some time ago and made an issue on gitlab.isc.org:
https://gitlab.isc.org/isc-projects/bind9/-/issues/1619 For your information, you cannot whitelist with wildcards anymore starting from bind 9.14.6 and newer. What still works is if the blacklist contains a wildcard then you can whitelist this with the same wildcard. For example, you can add the following to rpz1: *.tst.test.com IN CNAME rpz-passthru. Daniel On 02.06.20 13:58, Paulo Cáceres wrote: > Hi list, > I'm writing this email to ask if the changes I detected in bind > behaviour are as expected or I'm facing some unexpected behaviour. > > I searched for this, without success, so now I'm posting this issue I > found between bind versions, 9.14.5 and 9.16.3. > > I have an old testing machine running bind 9.14.5 with RPZ zones. The > first one (rpz1) is working as an whitelist and the second one (rpz2) is > automatic populated, as you can check in config bellow: > > response-policy { > zone "rpz1"; > zone "rpz2"; > } qname-wait-recurse no break-dnssec yes; > > For example, in rpz1 zone I have something like this: > test.com IN CNAME rpz-passthru. > *.test.com IN CNAME rpz-passthru. > > And, for example, in rpz2 zone, which are automatic populated, at same > point may have: > tst.test.com IN CNAME secure.test. > *.tst.test.com IN CNAME secure.test. > > when this config is running on the machine with bind 9.14.5, if you > query it for tst.test.com, it simply passthru it because it match on the > rpz1 zone (*.test.com), acting as whitelist as expected. > If I run the same query on a new machine with bind 9.16.3, running the > same config, it will rewrite it to secure.test, matching it in the rpz2 > zone. > > Is this second result (on the last version) the expected behaviour? What > version are deviating from the expected one? > > Best regards, > Paulo > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
