Goal

• Support for one or more RPZ zones provided by a trusted party, with a list of domains to block and never resolve successfully.
  • Needed by our internal network Infosec already. Very likely many our customers will have similar needs.
  • unbound and bind9 support relatively standard RPZ zones, which are automatically updated from the server. It supports also incremental transfers of only changed entries and has therefore minimal overhead. Much lower than fetching always new blocklist over HTTPS.
  • Unbound can fetch RPZ zone even over HTTP protocol from specified URI.
  • Dnsmasq supports blocking of selected names too, but does not support RPZ. Support for file based source of alternatives is desired.

Acceptance criteria

A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

• Verify definition of blocklist should be implementation independent for a common definition
• Verify more than one blocklist can be configured and used
• Verify allowlist and blocklist is applied to the resolution and blocklist actually stops resolving
• Syntax should allow configuration of HTTP uri or incremental zone transfers over DNS.
• Verify blocked attempts are logged or can be logged in configuration, when it is supported. Unbound can do inform_deny action on local zones.