Re: [knot-resolver-users] policy.DENY during a CNAME chain

Hello! On 11/12/19 8:32 AM, Stephane Bortzmeyer wrote: Right, normal policy rules only apply once before request starts. The only easy solution I can think of is to use hints module, assuming it's sufficient to (1) block particular names (not subtrees) and (2) only redirect them to some address that will fail fast instead of really blocking them (e.g. localhost). [hints] https://knot-resolver.readthedocs.io/en/stable/modules.html#static-hints All others ways would be like writing one's own module, I think.  We've been thinking of redesigning the user APIs around policies because of this and a couple other reasons.  People usually don't seem to think of this imperatively (what actions to do at some points in the resolution process) but more like modifying the official DNS tree.  Still, at this point I only have some vague ideas about this. --Vladimir