Re: Need feedback on RPZ service setup

2017-01-05 Thread Tony Finch
> On 5 Jan 2017, at 22:09, Lars Kulseng wrote: > > Any other thoughts on the naming of the zone? If I wanted to obfuscate the > name, I could use a reserved TLD like .test or .invalid. This would never > appear in the wild. Ah. Well. You explained your reason for obfuscating the zone name ve

Re: Fwd: Need feedback on RPZ service setup

2017-01-05 Thread Lars Kulseng
tor. 5. jan. 2017 kl. 16:54 skrev Tony Finch : > Lars Kulseng wrote: > > > > I wasn't aware that the ACL-clause could include TSIG-keys as well as > > IP-addresses. So far I've been using the masters-clause to make the > actual > > list of servers and keys, but also using the server-clause. Perha

Re: Need feedback on RPZ service setup

2017-01-05 Thread Paul Seward
On 5 January 2017 at 14:36, Lars Kulseng wrote: > > I wasn't aware that the ACL-clause could include TSIG-keys as well as > IP-addresses. > As I understand it, you have to be careful mixing TSIG keys and IP addresses within an ACL, as it's "first match wins" So if you have a key and an IP liste

Re: Fwd: Need feedback on RPZ service setup

2017-01-05 Thread Tony Finch
Lars Kulseng wrote: > > I wasn't aware that the ACL-clause could include TSIG-keys as well as > IP-addresses. So far I've been using the masters-clause to make the actual > list of servers and keys, but also using the server-clause. Perhaps the > server-clause is unnecessary, and I can simply refe

Fwd: Need feedback on RPZ service setup

2017-01-05 Thread Lars Kulseng
-- Forwarded message - From: Lars Kulseng Date: tor. 5. jan. 2017 kl. 15:34 Subject: Re: Need feedback on RPZ service setup To: Tony Finch tor. 5. jan. 2017 kl. 14:24 skrev Tony Finch : Lars Kulseng wrote: > I am setting up BIND to be used as a way to disseminate RPZ-zo

Re: Need feedback on RPZ service setup

2017-01-05 Thread wbrown
From: Tony Finch > BIND will only send NOTIFY to a zone's advertised name servers - "stealth > slaves" like your consumers have to rely on the SOA refresh timer. Why not use also-notify to specify client servers? Confidentiality Notice: This electronic message and any attachments may contain

Re: Need feedback on RPZ service setup

2017-01-05 Thread Tony Finch
Lars Kulseng wrote: > I am setting up BIND to be used as a way to disseminate RPZ-zones for use > by third parties. I would like some feedback on my setup. Overall it sounds very sensible to me. A few notes... > Access control is done by using TSIG-keys, with separate keys for: updates, > M1->S

Need feedback on RPZ service setup

2017-01-05 Thread Lars Kulseng
I am setting up BIND to be used as a way to disseminate RPZ-zones for use by third parties. I would like some feedback on my setup. Any pitfalls I may encounter would be great to hear about. The system will only serve up RPZ-zones to external parties that will zone-transfer the RPZ-zone to use in