Ok now I’ve got some 6.x questions

 

First how do you log RPZ hits successfully. I have following in my config.yaml

local-data:

  rpz:

    - file: /tmp/xdns.rpz

      watchdog: true

      log:

logging:

  level: info

The rpz is blocking but I don’t get anything in the log file

 

The rsyslog conf is as follows – very simple because I thought I was missing things:

if $syslogseverity-text == 'notice' or $syslogseverity-text == 'info' then /var/log/rpz/rpz.log

 

I do see notifications that seem to be info level

2025-12-30T09:05:27.051743+00:00 knotresolver kresd[52353]: [taupd ] refreshing TA for .

2025-12-30T09:05:27.053046+00:00 knotresolver kresd[52351]: [taupd ] refreshing TA for .

2025-12-30T09:05:27.053093+00:00 knotresolver kresd[52353]: [tasign] signalling query triggered: _ta-4f66-9728.

2025-12-30T09:05:27.053119+00:00 knotresolver kresd[52351]: [tasign] signalling query triggered: _ta-4f66-9728.

2025-12-30T09:05:27.252034+00:00 knotresolver kresd[52353]: [tasign] signalling query triggered: _ta-4f66-9728.

 

But there is no notice severity message when I get an RPZ block

 

Relatedly the log: syntax in the documentation ( https://www.knot-resolver.cz/documentation/latest/config-local-data.html#cmdoption-arg-log ) is not at all clear. It looks like I can leave it blank and get everything but if not what should it be?

 

 

Second. Rpz-passthru appears not to be supported correctly

 

If I have lines

www.example.com.      CNAME   rpz-passthru.

*.example.com.        CNAME   .

 

Then www.example.com should resolve while any other FQDN under example.com should not. In fact what seems to happen is www.example.com is blocked too. I have played with swapping the order of the rules and it made no difference

 

Finally, maybe a bug? The watchdog doesn’t always trigger on an RPZ file change. Not quite sure what is the issue except that sed -i file.rpz definitely failed to trigger it.

 

Regards

 

Francis

 

From: Vladimír Čunát <vladimir.cunat@nic.cz>
Sent: Monday, December 29, 2025 9:24 PM
To: Francis Turner <francis@threatstop.com>
Cc: Knot Resolver Users List <knot-resolver-users@lists.nic.cz>
Subject: Re: [knot-resolver-users] Re: Introduction and questions about RPZ support

 

On 29/12/2025 12.34, Francis Turner wrote:

Also I believe you are still not supporting zone transfers so I will still need to have the script download the RPZ and format it correctly.

We don't, but the zone format is accepted, so you can go simple like
kdig rpz.cesnet.cz AXFR @nsa.cesnet.cz > /tmp/cz.rpz

 

Finally the rpz-ip match is something we tend to use heavily. I can turn those into “IP address renumbering” rules quite easily in my script. Are there limits to how many of those a server can support?

That won't be practical at this point.  These (legacy) renumbering rules are all passed for every record in the reply (in lua code).  

We do want to add efficient .rpz-ip support, but it's not there yet.