I still don't understand why an RPZ entry of, 10.zz.fe80. IN CNAME *.
Doesn't work for you. Is there a reason you just want to block IPv6 LL addresses for this domain but allow for others? With that line in an RPZ, $ dig @192.168.64.80 soratool.ch ; <<>> DiG 9.10.6 <<>> @192.168.64.80 soratool.ch ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56119 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;soratool.ch. IN A ;; ANSWER SECTION: soratool.ch. 300 IN A 160.85.67.44 ;; Query time: 172 msec ;; SERVER: 192.168.64.80#53(192.168.64.80) ;; WHEN: Fri Nov 07 12:51:20 PST 2025 ;; MSG SIZE rcvd: 56 $ dig @192.168.64.80 soratool.ch aaaa ; <<>> DiG 9.10.6 <<>> @192.168.64.80 soratool.ch aaaa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65271 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;soratool.ch. IN AAAA ;; ADDITIONAL SECTION: rpz. 1 IN SOA localhost. nobody.localhost. 43 86400 43200 604800 10800 ;; Query time: 174 msec ;; SERVER: 192.168.64.80#53(192.168.64.80) ;; WHEN: Fri Nov 07 12:51:24 PST 2025 ;; MSG SIZE rcvd: 95 On Fri, Nov 7, 2025 at 11:34 AM Petr Menšík via bind-users < [email protected]> wrote: > If you are serious about this, dnsmasq can be used as workaround. I > think that is the only common tool, which can override one record, but > do not act authoritative for other records. Normal DNS resolvers won't > allow it. I think you should not too. > > Anyway link local addresses cannot work in normal unicast DNS, because > they lack interface specification. That is always needed for them. > > # dnsmasq > listen-address=127.0.0.2 > bind-interfaces > address=/soratool.ch/:: > # other server than your bind to prevent loops > server=8.8.8.8 > > # named > > zone "soratool.ch" { > type forward; > forwarders { 127.0.0.2; }; > }; > > This is quite a hack, but would allow you to do something with it. Not > sure it is worth trouble for it. If the owner does not want his site > reliable, do you need to fix it for them? > > Cheers, > Petr > > On 06/11/2025 17:16, Matus UHLAR - fantomas wrote: > > Hello, > > > > I maintain squid proxy server which (by default) disallows connecting > > to hosts in the linklocal network (I'd say standard security practice). > > > > We have problem with DNS name that has public IPv4 address but private > > IPv6: > > > > soratool.ch. 179 IN A 160.85.67.44 > > soratool.ch. 168 IN AAAA fe80::250:56ff:feaa:f5dc > > > > fe80::/10 is linklocal address first described in Feb 2006 in RFC 4291. > > > > Seems that the domain maintainer does not want to fix this (...) > > > > To make it work I can redefine the policy in proxy server that > > disables the rule banning linklocal address to allow this particular > > domain. > > > > However, I would prefer not to do this on proxy level. > > > > Is there a possibility to override the AAAA record using RPZ? > > > > From what I found, it should be possible to drop IPv6 addresses in > > fe80::/10 by defining > > > > 10.0.0.0.0.0.0.0.fe80.ns-ip CNAME . > > > > which would drop all responses pointing to linklocal address. > > Is that correct? > > > > Or, better, is it possible only to override AAAA for this particular > > domain? > > > > Thanks > > > -- > Petr Menšík > Senior Software Engineer, RHEL > Red Hat, https://www.redhat.com/ > PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list. > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
