I'm attempting to set up a response policy zone on a pair of forwarders
running BIND, version 9.8.1 on the master for the zone, and version 9.9.5
on the slave.

The forwarding requests are coming from a pair of Microsoft DNS servers,
running Server 2012.

If the Microsoft DNS server is configured to forward to the master, the
clients get the correct responses, e.g. "evil.example.com" resolves to, just as I have it set up in the zone file for the RPZ. However,
if the Microsoft DNS server is configured to use the slave server as a
forwarder, the client gets an NXDOMAIN response.

Clients that query the BIND servers (master or slave) directly get the
correct response.

I've confirmed that changing the slave into a master for the RPZ fixes the

It seems like the Microsoft DNS servers for some reason don't regard the
BIND server configured as a slave as authoritative, but I'm not sure why
that might be.

Any thoughts?

Brock Sides
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Reply via email to