Also I believe you are still not supporting zone transfers so I will still need to have the script download the RPZ and format it correctly.

I wonder if you could improve the 6.x documentation by showing a sample RPZ zone file with all the supported actions, wildcards etc.

Finally the rpz-ip match is something we tend to use heavily. I can turn those into “IP address renumbering” rules quite easily in my script. Are there limits to how many of those a server can support?

Regards

Francis

From: Francis Turner
Sent: Monday, December 29, 2025 8:20 PM
To: 'Vladimír Čunát' <vladimir.cunat@nic.cz>
Cc: Knot Resolver Users List <knot-resolver-users@lists.nic.cz>
Subject: RE: [knot-resolver-users] Re: Introduction and questions about RPZ support

Thank you for all your replies.

It looks like I should be trying 6.x and recommended that our prospects and customers do too. That is extremely helpful

Regards

Francis

From: Vladimír Čunát <vladimir.cunat@nic.cz>
Sent: Monday, December 29, 2025 7:14 PM
To: Francis Turner <francis@threatstop.com>
Cc: Knot Resolver Users List <knot-resolver-users@lists.nic.cz>
Subject: Re: [knot-resolver-users] Re: Introduction and questions about RPZ support

On 29/12/2025 11.10, Vladimír Čunát via knot-resolver-users wrote:

Also assuming it is supported, what are the performance impacts of large (say 500k+) RPZ policies?

I forgot this part. In 6.x the main price will be CPU consumed when parsing the file. (which is asynchronous if you do a reload) And RAM to hold the resulting database. We've been quite careful about performance impact on processing DNS requests.