[Pdns-users] Recursor 5.4.0: RPZ matches on '.' root query, breaks DNSSEC validation (Indeterminate instead of Bogus)
Otto Moerbeek
otto at drijf.net
Mon Apr 20 10:55:43 UTC 2026
On Mon, Apr 20, 2026 at 11:51:50AM +0100, Brian Candler wrote:
> On 20/04/2026 10:58, Otto Moerbeek via Pdns-users wrote:
> > which could lead to unexpected matches as well. I have to think if it
> > is possible to skip those as well, though this is dangerous territory,
> > as afaik we have no defined way to distinguish actual custom records
> > from these kind of "meta" records.
>
> An option to skip everything at the RPZ apex?
>
The TXT records are not at the apex, but stil not intended to be party
of the RPZ policy. The RPZ "standard" does no have a provision for
these kind of records. Anything we invent is ad-hoc.
-Otto
More information about the Pdns-users
mailing list