Response Policy Zone (RPZ), NSIP rules, and nsip-wait-recurse
- Updated on 20 Apr 2018
- 2 minutes to read
You, or your security team, want to use RPZ NSIP rules to filter results and provide protection for your users. Unfortunately, there are domains that you need to resolve names for that are served by ill-behaved servers that you are unable to resolve when you use NSIP rules.
One case in which this can happen is when you use a service that maps information into DNS (e.g. email sender reputation) using a period (.) to separate logical hunks of data. Each of the periods in the name forms a potential zone cut (i.e. a place where a delegation to a new set of servers could be placed).
The specification for NSIP rules specifies that these rules are to be checked against all of the name server IPs responsible for the containing zone and all of its parents . If the server(s) presenting the mapping as DNS does not respond to the NS and SOA queries for all of the potential zone cuts in the name then named will have to wait for those to time out, and since the servers to query for a particular level will depend on the answers from the parent level, all of these questions must be asked in serial. If there is a sufficient number of periods in the mapped name then it may take far longer for a policy decision to be made than the client will wait for an answer.
Starting in BIND 9.11.0 there is a new RPZ option, nsip-wait-recurse, that directs named to use only what records it already has available (whether in cache or in local authoritative zones) for purposes of determining whether or not there is a match for an NSIP rule.
In the example given above, named wouldn't attempt to look up any records for any of the unused potential zone cuts and so it would be able to render a match/no-match verdict on the NSIP rule without any delay.
© 2001-2018 Internet Systems Consortium For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership. ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.