Hi.

Recently we turned on NSIP and NSDNAME RPZ functionality in BIND 9.8.3
we distribute in RHEL-6. Our QA has a simple test consisting of one RPZ
zone with NSDNAME and NSIP rules (see the attached files).

As part of the test, they query named for www.redhat.cz using dig. Now
the RPZ zone "badlist" contains NSDNAME rules for all NS used by the
"cz." domain. With bind 9.8.3 the query is rewritten by RPZ rules.

In RHEL-7 with bind 9.9.4 and in Fedora with bind 9.10.2-P1 the behavior
differs. Although queries to anything from *.nic.cz are rewritten by the
RPZ correctly, the www.redhat.cz (and also for www.<anything>.cz) query
succeeds even though NS for cz. TLD are filtered.

The documentation says that:
"NSDNAME triggers match names of authoritative servers for the query
name, a parent of the query name, a CNAME for query name, or a parent of
a CNAME." (from ARM section 6.2.16.2 about RPZ).

Since "cz." authoritative servers are parent of the query name for
anything in *.cz., all queries in "cz." domain should be rewritten by
the RPZ policy.

Note that *.nic.cz is blocked most probably because their authoritative
NS are the same as for "cz." since they are the registry for "cz." TLD.

So far I was not able to determine the code or change that causes the
different behavior from BIND 9.8.3.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                 http://cz.redhat.com