Blacklisting Domain Names

Note

The blacklist feature will be renamed and moved to denylist in the near future.

You can prevent users from creating zones with names that match a particular regular expression using blacklists. For example, you might use a blacklist to prevent users from:

  • creating a specific zone.

  • creating zones that contain a certain string,

  • creating subzones of a certain zone.

Managing Blacklists

You can create blacklists using the zone blacklist create command with System Administrator privileges. For example, to blacklist example.com. and all of its subdomains:

$ openstack zone blacklist create --pattern ".*example.com."
+-------------+--------------------------------------+
| Field       | Value                                |
+-------------+--------------------------------------+
| created_at  | 2021-05-27T04:06:42.000000           |
| description | None                                 |
| id          | 7622e241-8c3d-4c03-a692-8747e3cf2658 |
| pattern     | .*example.com.                       |
| updated_at  | None                                 |
+-------------+--------------------------------------+

If a Domain or Project Persona attempts to create foo.example.com., or example.com., they encounter an error:

$ openstack zone create --email admin@example.com example.com.
Blacklisted zone name
$ openstack zone create --email admin@example.com foo.example.com.
Blacklisted zone name

Note

Users who satisfy the use_blacklisted_zone policy can create zones with names that are on a blacklist. By default, the only users who have this override are System Administrators.

You can update a blacklist using zone blacklist set to modify its pattern or description;

$ openstack zone blacklist set 81fbfe02-6bf9-4812-a40e-1522ab6862ca --pattern ".*web.example.com"
+-------------+--------------------------------------+
| Field       | Value                                |
+-------------+--------------------------------------+
| created_at  | 2021-05-27T04:14:14.000000           |
| description | None                                 |
| id          | 81fbfe02-6bf9-4812-a40e-1522ab6862ca |
| pattern     | .*web.example.com                    |
| updated_at  | 2021-05-27T04:14:48.000000           |
+-------------+--------------------------------------+

You can delete a blacklist using zone blacklist delete:

$ openstack zone blacklist delete 7622e241-8c3d-4c03-a692-8747e3cf2658

There is no output when this command is successful.

Using the REST API

The regular expressions used for blacklists are similar to Python regular expressions, but you must escape certain characters when making HTTP calls.

For examples, this refex restricts using example.com. and its ASCII subdomains:

^([A-Za-z0-9_\\-]+\.)*example\.com\.$

However, you must insert the escape character (backslash, ) before the instances of dot (.) and .com:

^([A-Za-z0-9_\\-]+\\.)*example\\.com\\.$

Here is the API call and the regex with the HTTP characters escaped:

POST /v2/blacklists/ HTTP/1.1
Accept: application/json
Content-Type: application/json

{
  "pattern" : "^([A-Za-z0-9_\\-]+\\.)*example\\.com\\.$",
  "description" : "This blacklists *.example.com."
}

Regular Expressions

Regular Expressions can be difficult to work with. The Python Regex Documentation may serve as a useful introduction, and online regular expression tools can assist when building and testing regexes for use with the blacklist API.