Re: Response Policy Zone returns servfail for time.in Trigger

Sat, 08 Apr 2023 10:36:47 -0700

Hi,

time.in is currently broken - I am guessing this is the reason why are you trying to rewrite the answers.

RPZ does try to resolve the name first, and it fails, so there’s nothing to rewrite.

See the documentation https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy on qname-wait-recurse and break-dnssec to turn off the default behavior.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

On 8. 4. 2023, at 16:32, Matthew Gomez <magome...@gmail.com> wrote:


Hi, has anyone run into this before? It looks like a bug to me. 


Summary

RPZ Returns a servfail when the trigger is "time.in"

BIND version used

BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version)

Steps to reproduce

Configure a RPZ rule with the trigger as time.in (the action does not seem to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to resolve time.in against the bind server using dig, nslookup, etc a servfail is returned

What is the current bug behavior?

Bind returns a servfail when the trigger for an RPZ rule is "time.in" RPZ works as expected for "tim.in" and "time.ind"

What is the expected correct behavior?

Bind should return the expected action (nxdomain, A record rewrite, etc)

Relevant configuration files

RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache TTL ; @ IN NS localhost.

time.in CNAME .

named.conf.local snippet zone "rpz.local" { type master; file "/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer { 1.1.1.1; }; also-notify { 1.1.1.1; }; };

named.conf.options snippet //enable response policy zone. response-policy { zone "rpz.local"; };

Relevant logs and/or screenshots

dig time.in @127.0.0.1

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> time.in @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION SECTION: ;time.in. IN A

;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64

LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8 127.0.0.1#34415 (time.in): query failed (failure) for time.in/IN/A at query.c:7775

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to