[knot-resolver-users] Introduction and questions about RPZ support

HI there, I work for ThreatSTOP, a company that distributes DNS policies using RPZ to our customers. One prospective customer uses knot-resolver and so they have asked us to look at what we can support with respect to importing our data into knot-resolver. I have read the documentation and I have done some testing with 5.7.2 that is the version in Ubuntu 24.04 I have also read some of the documentation for version 6.x I have a few questions The first is fairly basic. What is the status of 6.x? Assuming that is the case, it's unfortunate because RPZ support seems to be considerably better in 6.x. however I'm still a bit confused as to the RPZ support and would appreciate being pointed to a spec. The 6.x documentation was not clear to me Also I have questions about policy limitations, which I don't see in the documentation for 5.x How large can an RPZ be? How many policies can you have? For example I'd like an ALLOW, a DENY and perhaps one to three A record rewrite policies. The total across all RPZs would be in the 500k-1M records. Also assuming it is supported, what are the performance impacts of large (say 500k+) RPZ policies? I intend to test some of this, but if there are known limits that can be shown that will help both the testing and the recommendations to our customers Finally is there a place to publicize a script that does a zone transfer of a policy from an external server (e.g. ours) and outputs 3 or 4 zones in the right format for knot-resolver to import? Regards Francis Francis Turner Threat STOP Global SE JP Cell: +81-8080404701 | US Cell: +1-760-402-7676 Office: +1-760-542-1550 | Line: francisturner francis@threatstop.com<mailto:francis@threatstop.com> | www.threatstop.com<http://www.threatstop.com/> Weaponize Your Threat Intelligence "If You Don't Build It, They Definitely Will Not Come" - P. Vixie