Skip to content

From Bugs (#43718) : extend nsip-wait-recurse or add nsdname-wait-recurse

From BUGS feature request #43718

tl;dr - we should expect there to be similar need with NSDNAME triggers as there was with NSIP triggers, even if no one has asked for it yet.

On 2016-11-23 08:41, vjs wrote:

On the other hand, NSDNAME wasn't requested and I don't think I've ever seen an NSDNAME rule outside of an example..

What about many of the wildcards in rpz.spamhaus.org?

The only rpz.spamhaus.org zone I've seen in detail is dbl, and it didn't have any at the time.

The Spamhaus RPZ zone published as the rpz.spamhaus.org contains about 3.8 million pairs of domains and wildcards. While none of those records are NSDNAME RPZ triggers, they all seem to me prime candidates for being additionally written as NSDNAME triggers.

It would be unconfortable to double the current 192 MByte text size of that zone by adding all of those NSDNAME RPZ rules. However, Fastrpz supports two directives that help. "ip-as-ns yes_or_no" and especially "qname-as-ns yes_or_no" do what I hope their names suggest. As might be guessed, I think those two directives should be added to BIND RPZ.

I should also mention that I did not invent NSDNAME, but added it at the explicit request of RPZ users. Maybe over the years those who asked have stopped using NSDNAME, but I doubt it.

DO we need this?

( Interest expressed in Support ticket #14957 )

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information