Hello Tomas,

You are right, it was just those silly configuration mistakes. Everything works now :)

Thank you so much!

Best regards,
--Manuel


De: Tomas Krizek
Enviado: Viernes, 11 de Diciembre de 2020 13:25
Para: Knot Resolver Users List; Urueña-Pascual Manuel
Asunto: Re: [knot-resolver-users] Is policy.rpz a non-chain action?

Hi, the use-case you're trying to achieve is possible, but there are
some issues with your configuration.

On 10/12/2020 17.29, Urueña-Pascual Manuel wrote:>
policy.add(policy.rpz(policy.DENY_MSG('domain blocked'),
'/etc/knot-resolver/blocklist.rpz', true))
> policy.add(policy.rpz(policy.PASS(), '/etc/knot-resolver/allowlist.rpz', true))

You want to specify "policy.PASS" without the brackets.

> and these are the RPZ zones:
>
> $ cat '/etc/knot-resolver/allowlist.rpz':
> www.google.com 600 IN CNAME rpz-passthrough.
> www.bing.com 600 IN CNAME rpz-passthrough.

When you provide kresd these RPZ zones, it will complain:

[poli] RPZ /tmp/kr_dev/etc/knot-resolver/allowlist.rpz:1: CNAME with
custom target in RPZ is not supported yet (ignored)

It's because you're trying to use unsupported CNAME. See the table in
our docs [1]. What you're probably looking for is "rpz-passthru."
instead. However, if you're using a separate allowlist with policy.PASS
action (which is your case) "." would also work here.


You should also be able to combine the blocklist and allowlist into just
a single rpz file, using policy.DENY_MSG("...") and controlling whether
domain is blocked ("CNAME .") or allowed ("CNAME rpz-passthru.") with
the RPZ rules themselves.


[1] -
https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response-policy-zones
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869