RPZ in IP Register

Our computer emergency response team maintain a block list and a pass-through list. Domains may be added to these lists according to our DNS blocking policy.

This page describes how CamCERT manage their lists using the IP Register database.

The CERT management zone

To determine who can manage these lists, the CERT mzone has the members of CamCERT listed in the mzone_co table.

The CERT mzone has two real domains corresponding to the two lists, block.arpa.cam.ac.uk and passthru.arpa.cam.ac.uk.

It also has two special single-word domains, rpz-block and rpz-passthru, used to create RPZ list entries. Note these domains have no dots; they are just used as place-holders.

There are no IP subnets in the CERT mzone.

RPZ list entries

Each entry in the block list or passthru list is a CNAME. They can be added or removed using the IP Register cname_ops page.

  • Name

    The name determines both which domain the listing applies to, and whether that domain is blocked or passed through.

    It is the listed domain concatenated with the name of the list.

    • Blocked domains

      To block naughty.baddies.example, the name must be naughty.baddies.example.block.arpa.cam.ac.uk.

    • Pass-through domains

      To un-block incorrectly.blocked.example, the name must be incorrectly.blocked.example.passthru.arpa.cam.ac.uk.

  • Target

    The target of every entry in the block list should be rpz-block, and the target of every entry in the passthru list should be rpz-passthru. These targets must be bare, with no parent domain.

    (These names are chosen to be brief and informative; although they are related to RPZ policy syntax, the actual policy is fixed by the DNS RPZ mechanism.)

  • Purpose

    The purpose field of a DNS RPZ list entry is published on this web site, to note the reason for the listing.

  • Remarks

    The remarks field is optional and can be used for notes that are not published here.

Search

Use the table_ops page to search for RPZ listings.

Choose cname from the drop-down menu, and click the switch button.

Type the partial domain into the name field, using % as a wildcard, then click search.

A list entry can be modified or destroyed using the table_ops page in a similar way to the cname_ops page.