No, it didn’t work with any policy. The feature required librpz.so that was a binary blob provided to Farsight customers. It was wrong to accept this code into BIND 9 in the first place. BIND 9 already had working RPZ implementation and the effort would be better spent on improving RPZ for everyone.
Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 21. 8. 2024, at 9:26, Paul Vixie <p...@redbarn.org> wrote: > > > It worked with any policy source not just Farsight. However, is no longer > necessary since isc now has a native RPZ implementation. Thanks for that. > > p vixie > > On Aug 20, 2024 23:55, Ondřej Surý <ond...@isc.org> wrote: > Hello, > > In line with ISC's deprecation policy, I am notifying the mailing list > of our intent to remove support for Response-Policy Server support. > > Back in 2018, Farsight Security[1] contributed a patch to BIND that was > an optional replacement to our native RPZ implementation. At that time, > our RPZ implementation wasn’t scaling very well, and we accepted > the patch. This patch, however, only worked with Farsight’s own RPZ > service, so its utility is limited to Farsight customers. We do not think > this patch really belongs in open source BIND 9 version. Removing the > feature that has limited user-base will allow us to improve the RPZ > (Response-Policy Zones) feature that's native to BIND 9 and available > to all BIND 9 users. > > The feature is called DNSRPS, or the Response Policy Server. Farsight > called it “FastRPZ”, but in the ARM it is called the Response Policy > Server[2]. > > The support for DNSRPS/FastRPZ will be deprecated as of BIND 9.20 > and removed in BIND 9.21/9.22. > > 1. Since then Farsight Security has been acquired by DomainTools. > 2. > https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-dnsrps-enable. > > Cheers, > -- > Ondřej Surý (He/Him) > ond...@isc.org > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > > -- > bind-announce mailing list > bind-annou...@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-announce
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
