update the rpz records for recursor by API

[oyJouokong]

why

Since we are using different dns components, we now need to integrate them for easy unified management. We have docked the api interfaces of authoritative resolution servers and recursive resolvers, and these apis can be used to easily manipulate dns resources. But we also use rpz file, rpz record parsing, but I can not find the relevant api interface, may I ask if there is a relevant api interface? Or is there a better solution or suggestion for dynamically modifying rpz records remotely?
Looking forward to your reply!

Environment

• Operating system: Ubuntu 20
• Software version: powerdns4.4.1

Expected behaviour

Hope to be able to provide api or related suggestions for dynamically modifying rpz records

[omoerbeek]

RPZs can be retrieved from an authoritative server using IXFR. See https://docs.powerdns.com/recursor/lua-config/rpz.html#rpzPrimary. You can use the API on that authoritative server to manipulate the records in the RPZ. There are no plans to allow RPZ modification via the recursor API.

[oyJouokong]

Do you mean use authoritative resolution servers to modify or add rpz records? Is that equivalent to adding a record to the authoritative server? But my rpz record is for a specific policy, do some special rule response, rather than add records directly on the authoritative server, because it is possible that I do blocks on rpz, or special redirects, such operations add authoritative resolution is not reasonable, right? Then I am now using the go program to do an integration platform, through the restful api way to operate the record, and now on the rpz record of the addition and deletion change, so I want to seek help, thank you!

[omoerbeek]

An RPZ is just like any other zone. It can be served by a (private) authoritative server to the recursor using rpzPrimary in the recursor. The authoritative server should be private as you do not want to serve the RPZ to the public.

You can use the authoritative server REST API to manipulate the RPZ just like any other zone.

The recursor will periodically check the SOA serial of the RPZ and retrieve the modified content if needed.

[oyJouokong]

for example, If I already have an rpz file(test.rpz), it reads as follows:

$TTL  600
@  IN  SOA  localhost. root.localhost. (
      1701767891  ; Serial
      604800     ; Refresh
        86400    ; Retry
      2419200    ; Expire
      604800 )   ; Negative Cache TTL
;
@  IN  NS  localhost.
@  IN  A  127.0.0.1
@  IN  AAAA  ::1
go        IN  A       10.10.171.65

The way to do this now is to configure lua-config-file= test.lua via recursor.conf, which reads:
rpzFile("test.rpz")
If i want to add this record in this way which you say above, how can i add it? Which authoritative zone is it?

Looking forward to your reply, thanks

[omoerbeek]

Moving this to discussions

[oyJouokong]

hello，Excuse me, can you give me a suitable solution? I see recursor also reads file configuration, and recursor can also dynamically modify forward zone through api, so rpz can also provide a related solution?
thanks

[rgacogne]

As Otto suggested above, the best solution is for you to host your RPZ zone, which is a regular DNS zone, on an authoritative server that provides an API to edit the content of its zones, like for example PowerDNS Authoritative Server. You can then load the RPZ zone in the recursor using rpzPrimary1.
As far as I know there is no plan to add an API to edit the content of a RPZ zone file in the Recursor: it would add a lot of complexity for a feature that already exists in better-suited software.

[oyJouokong]

thanks, but if i have a record as :
go IN A 10.10.171.65

So how do I apply the A record above to an authoritative server? Because the fqdn of this A record is only so short, can you solve this problem?（We have a short link service, such as we accessing the website addresses : go/myApp, which automatically redirects to the corresponding long link, and then we need to parse this A record to that short link service.）
By the way, if my rpz records belong to many different zones, do I need to re-create the corresponding zones on the authoritative server and add all the records? If this is the case, I feel that this rpzPrimary seems meaningless, because it can be implemented with authoritative servers, so this configuration item is not needed.
Thank you, sir.

[omoerbeek]

I have the feeling that we go around in circles. I'll try to explain the steps one last time, using your example:

1. Create a zone in your (private) authoritative server, called "test.rpz".
2. Load your zone file into that zone.
3. Configure rpzPprimary('ip_of_your_auth', 'test.rpz', {}) in your Recursor.
4. That's it, start the Recursor and wach the log to see the Recursor contacting the auth and loading the RPZ. For more details see https://docs.powerdns.com/recursor/lua-config/rpz.html#rpzPrimary

https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00 has all the details how RPZ records work
For example, only the local part of a name in an RPZ is used to match, see https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.2 for details. So there's no need to define multiple RPZs.

You can also take a look how existing RPZ look, for example the ones published by https://ioc2rpz.net/
There's also more info available at https://dnsrpz.info/

[oyJouokong]

thanks