4 Úno
2026
4 Úno
'26
11:10
Hi Vladimir,
Believe it or not, I tried the 'zone transfer via dig' route,
scheduling via cron :-)
6 5 * * * dig @X.X.X.X -y hmac-sha256:ioc2rpz.net-foo doh.ioc2rpz
AXFR > /etc/knot-resolver/doh.ioc2rpz
The files produced by dig don't follow the masterfile format, however,
so neither kresd nor named would load them without modification.
YMMV with kdig; haven't tried it as yet.
Given current constraints, I found that it's more elegant to take a
zone transfer using an authoritative server (speaking of which, I must
try the Knot one), which can then also better keep the zone fresh.
Kresd's excellent watch functionality for RPZs makes this possible.
For the RPZ stack logic to make sense in a top-down approach, guessing
that we should make the decision / exist the stack on the first match,
so if passthru matches in tier 1 and there's an NXDOMAIN match in tier
2, the traffic gets passed.
The issue is that kresd does not currently recognise "rpz-passthru" in
the RPZ zone files, according to logged errors.
The lack of published / ratified RFCs around RPZs hasn't helped ;-)
(For interested parties, ioc2rpz is worth a look, offering free
accounts, many zones, and the ability to zone transfer from their
primary servers.)
Cheers,
GC
On Wed, 4 Feb 2026 at 08:23, Vladimír Čunát <vladimir.cunat(a)nic.cz> wrote:
Hello.
On 03/02/2026 19.22, Giles Crawford wrote:
Just wondering how you guys are ingesting RPZ feeds into Knot Resolver.
While Knot doesn't natively support zone transfers at this time, it
can import the zone files, and then kick the zone if the file changes,
so that's what I'm doing.
Some automation for obtaining RPZs is certainly among features which we would like to
add.
I'm doing the zone transfers (10 zones from ioc2rpz) using BIND for
now, and then writing the zone files to storage that Knot Resolver can
read.
It's possible to
kdig @server AXFR zone.name > some file
or the same with dig or another tool. And run that on a timer. Sometimes such a
simplicity suffices, e.g. if the RPZ is small or doesn't need to update often.
Would be great to see rpz-passthru support in the BIND format too
(forgive me if that's already possible) so that a traditional
white-list-first tiered approach can be followed.
We have code for that outside the master branch and releases already, but I'm not
sure about details, i.e. what behavior is mostly expected on conflicting rules, CNAMEs,
etc. (I do know that the RPZ draft does specify this, but...)
(Super impressed with Knot resolver, so hats off to all at CZ).
Thanks :-)
--Vladimir