Hi all,
BIND version: 9.11.21
OS: RHEL 7
Compile options: ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --with-openssl --enable-largefile --disable-ipv6 --enable-threads --enable-filter-aaaa
I have configured 4 RPZ zones (2 are from upstream feeds, and the other 2 are local overrides blacklist/whitelist).
The response-policy and RPZ zones configurations are as follows
zone "rpz.local.whitelist"{
type master;
file "zones/master/rpz.local.whitelist.db";
allow-query { localhost; };
};
zone "rpz.local.blacklist" {
type master;
file "zones/master/rpz.local.blacklist.db";
allow-query { localhost; };
};
zone "rpz.whitelist"{
type master;
file "zones/master/rpz.whitelist.db";
allow-query { localhost; };
};
zone "rpz.blacklist" {
type master;
file "zones/master/rpz.blacklist.db";
allow-query { localhost; };
};
Contents of zones that are relevant to the issue
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
I would expect the rpz.whitelist would allow *.
live.com (passthru).
However, if I add the FQDN, not wildcard domain, in the rpz.local.whitelist zone to override the external feeds, the FQDN resolution works
# grep "*\.live\.com" rpz.*
rpz.blacklist.db:onedrive.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.blacklist.db:*.live.com.rpz.blacklist. 3600 IN A 127.66.66.66
rpz.local.whitelist.int.db:onedrive.live.com.rpz.local.whitelist. IN CNAME rpz-passthru.
rpz.whitelist.db:*.live.com.rpz.whitelist. 3600 IN CNAME rpz.passthru.
RPZ wildcard domain whitelist (passthru) doesn't seem to work as it should be.
I have noticed that the last workable version is BIND 9.11.6-P1. I have tested the same configurations with versions 9.11.8, 9.11.19 and 9.11.21, and all produce the same issue.
Has anyone experienced a similar issue here? or have I mis-configured something?
Thanks
myOcella