3 Response Policy Zones (RPZ)
4 ===========================
6 Response Policy Zone is an open standard developed by Paul Vixie (ISC and Farsight) and Vernon Schryver (Rhyolite), to modify DNS responses based on a policy loaded via a zonefile.
8 Frequently, Response Policy Zones get to be very large and change quickly, so it is customary to update them over IXFR.
9 It allows the use of third-party feeds, and near real-time policy updates.
11 If multiple RPZs are loaded, they get consulted in the order they were
12 defined in. It is however possible from Lua to make queries skip specific
13 Response Policy Zones.
17 An RPZ can be loaded from file or slaved from a master. To load from file, use for example:
21 rpzFile("dblfilename")
23 To slave from a master and start IXFR to get updates, use for example:
27 rpzMaster("192.0.2.4", "policy.rpz")
29 In this example, 'policy.rpz' denotes the name of the zone to query for.
31 The action to be taken on a match is defined by the zone itself, but in some cases it might be interesting to be able to override it, and always apply the same action
32 regardless of the one specified in the RPZ zone. To load from file and override the default action with a custom CNAME to badserver.example.com., use for example:
36 rpzFile("dblfilename", {defpol=Policy.Custom, defcontent="badserver.example.com"})
38 To instead drop all queries matching a rule, while slaving from a master:
42 rpzMaster("192.0.2.4", "policy.rpz", {defpol=Policy.Drop})
44 Note that since 4.2.0, it is possible for the override policy specified via 'defpol' to no longer be applied to local data entries present in the zone by setting the 'defpolOverrideLocalData' parameter to false.
46 As of version 4.2.0, the first parameter of :func:`rpzMaster` can be a list of addresses for failover:
48 rpzMaster({"192.0.2.4","192.0.2.5:5301"}, "policy.rpz", {defpol=Policy.Drop})
50 In the example above, two addresses are specified and will be tried one after another until a response is obtained. The first address uses the default port (53) while the second one uses port 5301.
51 (If no optional port is set, the default port 53 is used)
54 .. function:: rpzFile(filename, settings)
56 Load an RPZ from disk.
58 :param str filename: The filename to load
59 :param {} settings: A table to settings, see below
61 .. function:: rpzMaster(address, name, settings)
63 .. versionchanged:: 4.2.0:
65 The first parameter can be a list of addresses.
67 Load an RPZ from AXFR and keep retrieving with IXFR.
69 :param str address: The IP address to transfer the RPZ from. Also accepts a list of addresses since 4.2.0 in which case they will be tried one after another in the submitted order until a response is obtained.
70 :param str name: The name of this RPZ
71 :param {} settings: A table to settings, see below
77 These options can be set in the ``settings`` of both :func:`rpzMaster` and :func:`rpzFile`.
81 CNAME field to return in case of defpol=Policy.Custom
85 Default policy: `Policy.Custom`_, `Policy.Drop`_, `Policy.NXDOMAIN`_, `Policy.NODATA`_, `Policy.Truncate`_, `Policy.NoAction`_.
87 defpolOverrideLocalData
88 ^^^^^^^^^^^^^^^^^^^^^^^
89 .. versionadded:: 4.2.0
90 Before 4.2.0 local data entries are always overridden by the default policy.
92 Whether local data entries should be overridden by the default policy. Default is true.
96 the TTL of the CNAME field to be synthesized for the default policy.
97 The default is to use the zone's TTL,
101 The maximum TTL value of the synthesized records, overriding a higher value from ``defttl`` or the zone. Default is unlimited.
107 The name logged as 'appliedPolicy' in :doc:`protobuf <protobuf>` messages when this policy is applied.
111 An indication of the number of expected entries in the zone, speeding up the loading of huge zones by reserving space in advance.
113 Extra settings for rpzMaster
114 ----------------------------
115 In addition to the settings above the settings for :func:`rpzMaster` may contain:
119 The name of the TSIG key to authenticate to the server.
120 When this is set, `tsigalgo`_ and `tsigsecret`_ must also be set.
124 The name of the TSIG algorithm (like 'hmac-md5') used
128 Base64 encoded TSIG secret
132 An integer describing the interval between checks for updates.
133 By default, the RPZ zone's default is used
137 The maximum size in megabytes of an AXFR/IXFR update, to prevent resource exhaustion.
138 The default value of 0 means no restriction.
142 The source IP address to use when transferring the RPZ.
143 When unset, :ref:`setting-query-local-address` and :ref:`setting-query-local-address6` are used.
147 .. versionadded:: 4.1.2
148 Before 4.1.2, the timeout was fixed on 10 seconds.
150 The timeout in seconds of the total initial AXFR transaction.
155 .. versionadded:: 4.2.0
157 A path to a file where the recursor will dump the latest version of the RPZ zone after
158 each successful update. This can be used to keep track of changes in the RPZ zone, or
159 to speed up the initial loading of the zone via the `seedFile`_ parameter.
160 The format of the generated zone file is the same than the one used with :func:`rpzFile`,
161 and can also be generated via:
163 rec_control dump-rpz *zone-name* *output-file*
168 .. versionadded:: 4.2.0
170 A path to a file containing an existing dump of the RPZ zone. The recursor will try to load
171 the zone from this file on startup, then immediately do an IXFR to retrieve any updates.
172 If the file does not exist or is not valid, the normal process of doing a full AXFR will
174 This option allows a faster startup by loading an existing zone from a file instead
175 of retrieving it from the network, then retrieving only the needed updates via IXFR.
176 The format of the zone file is the same than the one used with :func:`rpzFile`, and can
177 for example be generated via:
179 rec_control dump-rpz *zone-name* *output-file*
181 It is also possible to use the `dumpFile`_ parameter in order to dump the latest version
182 of the RPZ zone after each update.
187 If no settings are included, the RPZ is taken literally with no overrides applied.
188 Several Policy Actions exist
192 Will return a NoError, CNAME answer with the value specified with ``defcontent``,
193 when looking up the result of this CNAME, RPZ is not taken into account.
197 Will simply cause the query to be dropped.
201 Will continue normal processing of the query.
206 Will return a NoError response with no value in the answer section.
210 Will return a response with a NXDomain rcode.
214 will return a NoError, no answer, truncated response over UDP.
215 Normal processing will continue over TCP