31 Pro
2025
31 Pro
'25
19:16
On 30/12/2025 10.58, Francis Turner wrote:
Relatedly the log: syntax in the documentation (
https://www.knot-resolver.cz/documentation/latest/config-local-data.html#cm…
) is not at all clear. It looks like I can leave it blank and get
everything but if not what should it be?
I suppose the documentation should have examples, and there aren't many
variants so far anyway. You can't leave it blank. To get both you
write e.g. log: [ name, ip ]
Second. Rpz-passthru appears not to be supported
correctly
Correct. We don't support them yet. Our docs says:
rules with |rpz-*| labels are ignored, e.g.
|.rpz-client-ip|
Perhaps, can you share more information about typical use cases that you
have for these missing features? The thing is that the RPZ draft
specifies very very complex mechanics how rules interact, and some of
that would basically clash with what we have in Knot Resolver, so we
don't follow all of that, but we certainly want to keep good support for
use cases common in practice.
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-5
Also, beware that in our current implementation the rule
*.example.com. CNAME .
will return NXDOMAIN also for example.com itself, contrary to what RPZ
definition says.
Finally, maybe a bug? The watchdog doesn’t always
trigger on an RPZ
file change. Not quite sure what is the issue except that sed -i
file.rpz definitely failed to trigger it.
I can retest that later, but note that you need an extra dependency for
the detection to work.
https://repology.org/project/python:watchdog