Hello,
I thought I could build a resolver allow only a limited set of domains to resolve.
That set of allowed domains should come from an rpz.
unbound.conf:
server:
module-config: "respip validator iterator"
rpz:
name: "allow-rpz.example."
zonefile: "/tmp/allow-rpz.example"
/tmp/allow-rpz.example:
allow-rpz.example. SOA localhost. rpz.localhost. 1 43200 7200 2419200 3600
allow-rpz.example. NS localhost.
*.allow-rpz.example. CNAME .
com.allow-rpz.example. CNAME .
de.allow-rpz.example. CNAME rpz-passthru.
expectation:
QNAME=com will be answered with NXDOMAIN
QNAME=de will be answered with real data
QNAME=net/org/anything will be answered with NXDOMAIN
result:
QNAME=com is answered with NXDOMAIN
QNAME=de is answered with real data
QNAME=net/org/anything is answered with real data
reading https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00#section-4.2
let me believe, *.allow-rpz.example. would match any subdomain of "."
looks like unbound/RPZ don't think so.
Is this a bug, a feature or simply not possible (why?) with unbound's RPZ implementation?
Are there other ways to build such a system?
Andreas