If that's how it worked then it was indeed an error. That was not Farsight's goal or my understanding. In any case RPZ no longer needs special code from anywhere and I share your joy about that.
p vixie On Aug 21, 2024 00:55, Ondřej Surý <ond...@isc.org> wrote: No, it didn’t work with any policy. The feature required librpz.so that was a binary blob provided to Farsight customers. It was wrong to accept this code into BIND 9 in the first place. BIND 9 already had working RPZ implementation and the effort would be better spent on improving RPZ for everyone. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 21. 8. 2024, at 9:26, Paul Vixie <p...@redbarn.org> wrote: It worked with any policy source not just Farsight. However, is no longer necessary since isc now has a native RPZ implementation. Thanks for that. p vixie On Aug 20, 2024 23:55, Ondřej Surý <ond...@isc.org> wrote: Hello, In line with ISC's deprecation policy, I am notifying the mailing list of our intent to remove support for Response-Policy Server support. Back in 2018, Farsight Security[1] contributed a patch to BIND that was an optional replacement to our native RPZ implementation. At that time, our RPZ implementation wasn’t scaling very well, and we accepted the patch. This patch, however, only worked with Farsight’s own RPZ service, so its utility is limited to Farsight customers. We do not think this patch really belongs in open source BIND 9 version. Removing the feature that has limited user-base will allow us to improve the RPZ (Response-Policy Zones) feature that's native to BIND 9 and available to all BIND 9 users. The feature is called DNSRPS, or the Response Policy Server. Farsight called it “FastRPZ”, but in the ARM it is called the Response Policy Server[2]. The support for DNSRPS/FastRPZ will be deprecated as of BIND 9.20 and removed in BIND 9.21/9.22. 1. Since then Farsight Security has been acquired by DomainTools. 2. https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-dnsrps-enable. Cheers, -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- bind-announce mailing list bind-annou...@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
