logging {
       channel rpz_local {
                file "var/log/named_rpz" versions 10 size 10m;
                severity info;
                print-time yes; print-category yes; print-severity yes;
        };
	category rpz { rpz_local; };
};

options {
	recursion on;
	allow-recursion { 192.168.2/24; };
        // BEGIN RPZ Policy
        response-policy {
                // DFN RPZ Zone
                zone "zone.eval-f.rpz.dfn.de" policy passthru log yes;
                zone "zone.al.rpz.dfn.de" policy passthru log no;
                zone "zone.community.rpz.dfn.de" policy passthru log yes;
                zone "zone.ph.rpz.dfn.de" policy cname landingpage-ph.security.dfn.de;
                zone "zone.mw.rpz.dfn.de" policy cname landingpage-mw.security.dfn.de;
                zone "zone.eval-l.rpz.dfn.de" policy passthru log yes;
                // SWITCH RPZ zones
                zone "zone.wl.rpz.switch.ch" policy passthru log no;
                zone "zone.test.rpz.switch.ch" policy passthru;
                zone "zone3.mw.rpz.switch.ch" policy cname landingpage-mw.security.dfn.de;
                zone "zone3.ph.rpz.switch.ch" policy cname landingpage-ph.security.dfn.de;
                zone "zone3.misc.rpz.switch.ch" policy cname landingpage-mw.security.dfn.de;
        }
        // Apply RPZ policy to DNSSEC signed zones
        break-dnssec yes;
        // END RPZ Policy

	allow-transfer { none; };
	allow-update { none; };
};

// TSIG key for RPZ zones-transfer
// DO NOT CHANGE THE NAME OF THE KEY OR COMMUNICATION WILL FAIL!!!
key rpz1-basis.security.dfn.de. {
        algorithm "HMAC-SHA512";
	secret "vom DFN uebermittelt";
};

masters dfn-rpz-masters {
        // ns1.security.dfn.de
        195.37.33.18 key rpz1-basis.security.dfn.de.;
        2001:638:dfce:1:23::1 key rpz1-basis.security.dfn.de.;
        // ns2.security.dfn.de
        195.37.33.146 key rpz1-basis.security.dfn.de.;
        2001:638:dfce:1001:23::1 key rpz1-basis.security.dfn.de.;
};


// DFN RPZ Zones
zone "zone.eval-f.rpz.dfn.de" {
        type slave;
        file "slave/zone.eval-f.rpz.dfn.de.db";
        masters { dfn-rpz-masters; };
};

zone "zone.al.rpz.dfn.de" {
        type slave;
        file "slave/zone.al.rpz.dfn.de.db";
        masters { dfn-rpz-masters; };
};

zone "zone.community.rpz.dfn.de" {
        type slave;
        file "/slave/zone.community.rpz.dfn.de.db";
        masters { dfn-rpz-masters; };
};

zone "zone.ph.rpz.dfn.de" {
        type slave;
        file "slave/zone.ph.rpz.dfn.de.db";
        masters { dfn-rpz-masters; };
};

zone "zone.mw.rpz.dfn.de" {
        type slave;
        file "slave/zone.mw.rpz.dfn.de.db";
        masters { dfn-rpz-masters; };
};

zone "zone.eval-l.rpz.dfn.de" {
        type slave;
        file "slave/zone.eval-l.rpz.dfn.de.db";
        masters { dfn-rpz-masters; };
};

       // SWITCH RPZs
zone "zone.wl.rpz.switch.ch" {
        type slave;
        file "slave/zone.wl.rpz.switch.ch.db";
        masters { dfn-rpz-masters; };
};

zone "zone.test.rpz.switch.ch" {
        type slave;
        file "slave/zone.test.rpz.switch.ch.db";
        masters { dfn-rpz-masters; };
};

zone "zone3.mw.rpz.switch.ch" {
        type slave;
        file "slave/zone3.mw.rpz.switch.ch.db";
        masters { dfn-rpz-masters; };
};

zone "zone3.ph.rpz.switch.ch" {
        type slave;
        file "slave/zone3.ph.rpz.switch.ch.db";
        masters { dfn-rpz-masters; };
};

zone "zone3.misc.rpz.switch.ch" {
        type slave;
        file "slave/zone3.misc.rpz.switch.ch.db";
        masters { dfn-rpz-masters; };
};