Relatedly the log: syntax in the documentation ( https://www.knot-resolver.cz/documentation/latest/config-local-data.html#cmdoption-arg-log ) is not at all clear. It looks like I can leave it blank and get everything but if not what should it be?
I suppose the documentation should have examples, and there aren't many variants so far anyway. You can't leave it blank. To get both you write e.g. log: [ name, ip ]
Second. Rpz-passthru appears not to be supported correctly
Correct. We don't support them yet. Our docs says:
rules withrpz-*labels are ignored, e.g..rpz-client-ip
Perhaps, can you share more information about typical use cases
that you have for these missing features? The thing is that the
RPZ draft specifies very very complex mechanics how rules
interact, and some of that would basically clash with what we have
in Knot Resolver, so we don't follow all of that, but we certainly
want to keep good support for use cases common in practice.
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-5
Also, beware that in our current implementation the rule
*.example.com.
CNAME .
will return NXDOMAIN also for example.com itself, contrary
to what RPZ definition says.
Finally, maybe a bug? The watchdog doesn’t always trigger on an RPZ file change. Not quite sure what is the issue except that sed -i file.rpz definitely failed to trigger it.
I can retest that later, but note that you need an extra
dependency for the detection to work.
https://repology.org/project/python:watchdog