On Fri, Nov 7, 2025 at 3:53 PM Crist Clark wrote: > > I still don't understand why an RPZ entry of, > > 10.zz.fe80. IN CNAME *. > > Doesn't work for you.
First >> DiG 9.10.6 are you really running a 9.10 version of bind?! second, because it's missing rpz-ip? I've got ; return NXDOMAIN for any ipv6 link local address answer 10.zz.fe80.rpz-ip CNAME . ; FE80::/10 and it doesn't work for me :( $ dig soratool.ch aaaa ; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> soratool.ch aaaa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35871 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ; COOKIE: a24ad4c2a4633a7801000000690e8893a1267aed45545fe0 (good) ;; QUESTION SECTION: ;soratool.ch. IN AAAA ;; ANSWER SECTION: soratool.ch. 300 IN AAAA fe80::250:56ff:feaa:f5dc ;; Query time: 108 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Nov 07 19:02:27 EST 2025 ;; MSG SIZE rcvd: 96 & just for chuckles I tried 10.zz.fe80.rpz-ip CNAME . and that didn't block it either. > Is there a reason you just want to block IPv6 LL addresses for this domain > but allow for others? I'd rather block _all_ link local addresses except for the ones that I whitelist ... which works for me with ipv4: ; return NXDOMAIN for any 127.0.0.0/8 answers ; exceptions: onea.net-snmp.org CNAME rpz-passthru. twoa.net-snmp.org CNAME rpz-passthru. localhost CNAME rpz-passthru. *.localhost CNAME rpz-passthru. 8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8 ; check: ; localhost 127.0.0.1 ; onea.net-snmp.org 127.0.0.1 ; twoa.net-snmp.org 127.0.0.2 127.0.0.3 ; 7f000001.c7f11de3.rbndr.us ; should alternate between 199.241.29.227 (allowed) and 127.0.0.1 (NXDOMAIN) ; ref: https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=3 it'd be nice if I could get it working with ipv6 Regards Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
