[pdns-recursor] RPZ zone Dynamic Reload

[Zqsdoo]

Hello,
I'm migrating DNS redirect rules (CNAME, A, AAAA) from dnsdist to pdns-recursor using RPZ zones. While testing, I encountered unexpected behavior regarding zone persistence and reloading.

Pdns-recursor version

PowerDNS Recursor 5.4.1 (C) PowerDNS.COM BV
Using 64-bits mode. Built using clang 18.1.3 (1ubuntu1) on Apr  7 2026 09:21:53 by root@localhost.
PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Features: libcrypto-ecdsa libcrypto-ed25519 libcrypto-ed448 libcrypto-eddsa lua nod protobuf dnstap-framestream snmp sodium libssl gnutls curl DoT scrypt libcap
Configured with: "-Dpython.bytecompile=-1 -Db_lto=true -Db_lto_mode=thin -Db_pie=true -Dhardening-fortify-source=disabled -Dunit-tests=true -Dtls-libssl=enabled -Dtls-gnutls=enabled -Ddns-over-tls=enabled -Ddnstap=enabled -Dlibcap=enabled -Dsigners-libsodium=enabled -Dsnmp=enabled -Dnod=enabled -Dsystemd-service=enabled -Dsystemd-service-user=pdns -Dsystemd-service-group=pdns -Dlua=luajit -Dprefix=/usr -Dlibdir=lib/x86_64-linux-gnu -Dlibexecdir=lib/x86_64-linux-gnu -Dlocalstatedir=/var -Dsysconfdir=/etc/powerdns -Dbuildtype=plain -Dwrap_mode=nodownload"

OS: Ubuntu 24.04

Pdns-recursor rpz configuration

  rpzs:
    - name: '/etc/powerdns/zone.rpz'

1. Wildcard vs Exact Match Behavior

In my zone.rpz file, I defined both exact and wildcard rules:

$TTL 60

@ IN SOA localhost. root.localhost. (
	1777291699 ; Serial
	60 ; Refresh
	60 ; Retry
	60 ; Expire
	60 ) ; Negative Cache TTL

@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

malware.domain.net IN CNAME malware.com
*.malware.domain.net IN CNAME malware.com
toto.malware.net IN A 127.0.0.1
toto.malware.net IN AAAA ::1
*.toto.malware.net IN A 127.0.0.1
*.toto.malware.net IN AAAA ::1

I noticed that only the wildcard (*.malware.domain.net) was being enforced, while the exact match (malware.domain.net) was not. To work around this, I added both entries.
Is this intended behavior? Shouldn't the exact match take precedence or at least be respected independently?

My questions is is there a way to reload RPZ zones without restarting the entire service?

[omoerbeek]

Yes, this is intended behaviour, see https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.2

Reloading lua config or yaml config with rec_control reload-lua-config or rec_control reload-yaml will reload RPZs. With RPZs served from an authoritative server, you can also use notify (you need to enable that, see https://docs.powerdns.com/recursor/yamlsettings.html#incoming-allow-notify-from and https://docs.powerdns.com/recursor/yamlsettings.html#incoming-allow-notify-for.

[Zqsdoo]

Yes, this is intended behaviour, see https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.2

Reloading lua config or yaml config with rec_control reload-lua-config or rec_control reload-yaml` will reload RPZs. With RPZs served from an authoritative server, you can also use notify (you need to enable that, see https://docs.powerdns.com/recursor/yamlsettings.html#incoming-allow-notify-from and https://docs.powerdns.com/recursor/yamlsettings.html#incoming-allow-notify-for.

Thanks, it worked pretty well !