HI there,

 

I work for ThreatSTOP, a company that distributes DNS policies using RPZ to our customers.

 

One prospective customer uses knot-resolver and so they have asked us to look at what we can support with respect to importing our data into knot-resolver.

 

I have read the documentation and I have done some testing with 5.7.2 that is the version in Ubuntu 24.04

 

I have also read some of the documentation for version 6.x

 

I have a few questions

 

The first is fairly basic. What is the status of 6.x?

From what I can see it seems to be undergoing development and not to be considered as stable. Is this correct? And therefore we should not recommend it to our users?

Assuming that is the case, it’s unfortunate because RPZ support seems to be considerably better in 6.x. however I’m still a bit confused as to the RPZ support and would appreciate being pointed to a spec. The 6.x documentation was not clear to me

 

Also I have questions about policy limitations, which I don’t see in the documentation for 5.x

 

How large can an RPZ be?

How many policies can you have?

 

For example I’d like an ALLOW, a DENY and perhaps one to three A record rewrite policies. The total across all RPZs would be in the 500k-1M records.

Also assuming it is supported, what are the performance impacts of large (say 500k+) RPZ policies?

 

I intend to test some of this, but if there are known limits that can be shown that will help both the testing and the recommendations to our customers

 

Finally is there a place to publicize a script that does a zone transfer of a policy from an external server (e.g. ours) and outputs 3 or 4 zones in the right format for knot-resolver to import?

 

Regards

 

Francis

 

Francis Turner

Threat STOP Global SE

JP Cell: +81-8080404701 | US Cell: +1-760-402-7676

Office: +1-760-542-1550 | Line: francisturner

francis@threatstop.com | www.threatstop.com

Weaponize Your Threat Intelligence  

“If You Don’t Build It, They Definitely Will Not Come” – P. Vixie