Hello.

Just wondering how you guys are ingesting RPZ feeds into Knot Resolver.

While Knot doesn't natively support zone transfers at this time, it
can import the zone files, and then kick the zone if the file changes,
so that's what I'm doing.

Some automation for obtaining RPZs is certainly among features which we would like to add.

I'm doing the zone transfers (10 zones from ioc2rpz) using BIND for
now, and then writing the zone files to storage that Knot Resolver can
read.

It's possible to
kdig @server AXFR zone.name > some file

or the same with dig or another tool.  And run that on a timer.  Sometimes such a simplicity suffices, e.g. if the RPZ is small or doesn't need to update often.

Would be great to see rpz-passthru support in the BIND format too
(forgive me if that's already possible) so that a traditional
white-list-first tiered approach can be followed.

We have code for that outside the master branch and releases already, but I'm not sure about details, i.e. what behavior is mostly expected on conflicting rules, CNAMEs, etc.  (I do know that the RPZ draft does specify this, but...)

(Super impressed with Knot resolver, so hats off to all at CZ).

Thanks :-)
--Vladimir