Dynamically update a RPZ with nsupdate

Question

I added an RPZ zone to overwrite some hosts in my BIND9 server, adding the following lines to named.conf:

...

    response-policy { zone "rpz"; };

...

zone "rpz" {
    type master;
    file "/etc/bind/rpz.hosts";
    allow-update { 172.33.1.7; };
};

The rpz.hosts file:

$TTL 38400  ; 10 hours 40 minutes
@       IN SOA  localhost. root.localhost (
                1515764950 ; serial
                10800      ; refresh (3 hours)
                3600       ; retry (1 hour)
                604800     ; expire (1 week)
                38400      ; minimum (10 hours 40 minutes)
                )
            NS  172.33.1.2.

When I try to update it with nsupdate, using an arbitrary hostname like somehost.dyndns.dappnode.io I get a NOTZONE error. The update mechanism expects some host under the rpz. zone.

How I can workaround this? Anyone managed to configure dynamically a RPZ zone?

Thank you

Answer 1

The trick is that the domain name should end with the rpz zone name. Here is a complete example where an rpz zone is dynamically updated with a DNSSEC key.

In named.conf,

options {
    // some other options...

    response-policy {
        zone "dynamic-rpz";
    };
};

include "/var/named/rpz.key";

zone "dynamic-rpz" IN {
    type master;
    file "dynamic-rpz.db";
    update-policy {
        grant keyname. name foobar.example.com.dynamic-rpz A;
    };
};

And in dynamic-rpz.db,

$TTL 600

@ IN SOA localhost. root.localhost. (
      1  ; Serial
 604800  ; Refresh
  86400  ; Retry
2419200  ; Expire
    600  ; Negative Cache TTL
)

                    IN NS    localhost.
foobar.example.com      A    127.0.0.1

Now, that domain name can be updated with nsupdate,

nsupdate -k rpz.key
> server 192.168.xx.xx
> update add foobar.example.com.dynamic-rpz 600 A aaa.bbb.ccc.ddd
> send

Reference: https://bind9-users.isc.narkive.com/wXStNX3l/using-nsupdate-to-insert-delete-record-in-the-rpz-zone-file