- contrib/drop2rpz: perl script that converts the Spamhaus DROP-List

in RPZ-Format, contributed by Andreas Schulze.

contrib/README

@@ -51,3 +51,5 @@ distribution but may be helpful.
   compile.  From Saksham Manchanda (Secure64).  Please note that we think
   this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
   lookups for downstream clients.
+* drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format,
+  contributed by Andreas Schulze.

contrib/drop2rpz

@@ -0,0 +1,39 @@
+#!/usr/bin/perl
+
+# usage: curl --silent https://www.spamhaus.org/drop/drop.txt | $0 > /path/to/spamhaus-drop.rpz.local
+#
+# unbound.conf:
+#  rpz:
+#    name: "spamhaus-drop.rpz.local."
+#    zonefile: "/path/tp/spamhaus-drop.rpz.local"
+#    rpz-log: yes
+#    rpz-log-name: "spamhaus-drop"
+#
+
+use strict;
+use vars qw{$o1 $o2 $o3 $o4 $m};
+
+# trailing dots required
+my $origin = 'drop.spamhaus.org.rpz.local.';
+my $mname  = 'localhost.';
+my $rname  = 'root.localhost.';
+my $ns     = $mname;
+
+my  $rpz_action = '.';         # return NXDOMAIN
+#my $rpz_action = '*.';        # return NODATA
+#my $rpz_action = 'rpz-drop.'; # drop the query
+
+print "$origin SOA $mname $rname 1 43200 7200 2419200 3600\n";
+print "$origin NS  $ns\n";
+while(<>) {
+  if(($o1, $o2, $o3, $o4, $m) = m{(\d+)\.(\d+)\.(\d+)\.(\d+)/(\d+)}) {
+    print "$m.$o4.$o3.$o2.$o1.rpz-ip.$origin CNAME $rpz_action\n";
+  } else {
+    print "$_";
+  }
+}
+
+# add a testpoint: ask for "dns.google"
+# print "32.8.8.8.8.rpz-ip.$origin CNAME $rpz_action\n";
+
+exit;

doc/Changelog

@@ -1,3 +1,7 @@
+17 February 2020: Wouter
+	- drop2rpz: perl script that converts the Spamhaus DROP-List in
+	  RPZ-Format, contributed by Andreas Schulze.
+
 14 February 2020: Wouter
 	- Fix spelling in unbound.conf.5.in.
 	- Stop unbound-checkconf from insisting that auth-zone and rpz