> From: =?UTF-8?Q?Marek_Vavru=C5=A1a?= <mvavr...@cloudflare.com> > There's a functionality [1] to do all these things (and more), you > just can't read/write complicated rules from RPC compatible format > (DNS zone files). Feel free to contribute of course.
On the contrary, as far as I can see from the table in http://knot-resolver.readthedocs.io/en/stable/modules.html none the features that originally justified RPZ are present in the Knot mechanism. It lacks - distributed, simultaneous multi-source polices - IP triggers - full client-IP triggers - redirecting to walled gardens - NSDNAME and NSIP triggers (although those were added after my first versions by user demand) - walled gardens (according to the table, but I don't understand how that is missing) The Knot mechanism might be a lot better than RPZ, but it is *NOT* RPZ. Because it uses a different rule source-resolver protocol, it can be neither a subset nor a superset of RPZ. Calling it "rpz" is like calling the ancient DEC name scheme (I've forgotten its name) or NIS (YP) "DNS." Those things could do things that DNS cannot do. The DEC protocol was arguably better all around than DNS, but it was not DNS, no matter how often or how hard its advocates tried to sell as DNS. One might say "it's a subset without the bits that some mistakenly claim are important and it uses an incompatible protocol but it's still rpz," but that would be like saying a Chevrolet Spark is a subset of a 40 ton tractor, or vice versa. https://www.google.com/search?q=Chevrolet+spark https://www.google.com/search?q=60+ton+tractor That the Spark is more useful to more people and that most people could not use a large tractor does not make one a subset of the other. They simply differ. Again, the Knot mechanism might be better than RPZ, especially if it were given a few of what seem to me like easy additions. RPZ has suffered from feaping creaturism; something simpler could be better. But please don't call it RPZ, because it is not RPZ. Vernon Schryver v...@rhyolite.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
