[knot-resolver-users] Re: Introduction and questions about RPZ support

Ok now I've got some 6.x questions First how do you log RPZ hits successfully. I have following in my config.yaml local-data: rpz: - file: /tmp/xdns.rpz watchdog: true log: logging: level: info The rpz is blocking but I don't get anything in the log file The rsyslog conf is as follows - very simple because I thought I was missing things: if $syslogseverity-text == 'notice' or $syslogseverity-text == 'info' then /var/log/rpz/rpz.log I do see notifications that seem to be info level 2025-12-30T09:05:27.051743+00:00 knotresolver kresd[52353]: [taupd ] refreshing TA for . 2025-12-30T09:05:27.053046+00:00 knotresolver kresd[52351]: [taupd ] refreshing TA for . 2025-12-30T09:05:27.053093+00:00 knotresolver kresd[52353]: [tasign] signalling query triggered: _ta-4f66-9728. 2025-12-30T09:05:27.053119+00:00 knotresolver kresd[52351]: [tasign] signalling query triggered: _ta-4f66-9728. 2025-12-30T09:05:27.252034+00:00 knotresolver kresd[52353]: [tasign] signalling query triggered: _ta-4f66-9728. But there is no notice severity message when I get an RPZ block Relatedly the log: syntax in the documentation ( https://www.knot-resolver.cz/documentation/latest/config-local-data.html#cm… ) is not at all clear. It looks like I can leave it blank and get everything but if not what should it be? Second. Rpz-passthru appears not to be supported correctly If I have lines www.example.com. CNAME rpz-passthru. *.example.com. CNAME . Then www.example.com<http://www.example.com> should resolve while any other FQDN under example.com should not. In fact what seems to happen is www.example.com<http://www.example.com> is blocked too. I have played with swapping the order of the rules and it made no difference Finally, maybe a bug? The watchdog doesn't always trigger on an RPZ file change. Not quite sure what is the issue except that sed -i file.rpz definitely failed to trigger it. Regards Francis From: Vladimír Čunát &lt;vladimir.cunat(a)nic.cz&gt; Sent: Monday, December 29, 2025 9:24 PM To: Francis Turner &lt;francis(a)threatstop.com&gt; Cc: Knot Resolver Users List &lt;knot-resolver-users(a)lists.nic.cz&gt; Subject: Re: [knot-resolver-users] Re: Introduction and questions about RPZ support On 29/12/2025 12.34, Francis Turner wrote: Also I believe you are still not supporting zone transfers so I will still need to have the script download the RPZ and format it correctly. We don't, but the zone format is accepted, so you can go simple like kdig rpz.cesnet.cz AXFR @nsa.cesnet.cz > /tmp/cz.rpz Finally the rpz-ip match is something we tend to use heavily. I can turn those into "IP address renumbering" rules quite easily in my script. Are there limits to how many of those a server can support? That won't be practical at this point. These (legacy) renumbering rules are all passed for every record in the reply (in lua code). We do want to add efficient .rpz-ip support, but it's not there yet.