Hi Ondrej ! I think you found the answer !!! It seems that the problem is DNSSEC. The biopyrenees.net seems to have a dnssec sig :
dig @127.0.0.1 biopyrenees.net +dnssec +short 213.186.33.5 A 8 2 3600 20230414114926 20230315114926 1266 biopyrenees.net. uUm5BxSqUJFyBhFCkT20zcqD+VkxCOJ47KxDqzvLoaMLMPPwTLtxtseM /CW3hCeEAMGgxyGO/10N97jPLSTKZXlfrqC2DTgKbu27U7fE6gJtArRC LgIAv17ivw/mIyQT4WQzOLtJnCLc0wL/Ak3nHYG+eXV4CWmPVSPe9AXE JFY= If I add break-dnssec yes ; in my bind conf, it seems to works like I wanted to !!! Thanks. But what I don’t understand is why, when I use directly SrvA (server that have RPZ zone), it works ? Thanks for your time 😉 Nath. [cid:image002.png@01D7D25A.A81420E0] Nathanaël BONIN Ingénieur système Linux et supervision DO-HDS Tél. 05.67.69.72.95 boni...@mipih.fr<mailto:boni...@mipih.fr> 2 Impasse Michel Labrousse, 31100 Toulouse De : Ondřej Surý <ond...@isc.org> Envoyé : mercredi 22 mars 2023 14:12 À : BONIN Nathanael <boni...@mipih.fr> Cc : bind-users@lists.isc.org Objet : Re: RPZ answer me NXDOMAIN for some domain Hi, look for break-dnssec in https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 22. 3. 2023, at 12:52, BONIN Nathanael <boni...@mipih.fr<mailto:boni...@mipih.fr>> wrote: Hi there, We are using RPZ zone for some times now, but recently we found a weird behavior from some domains. Let me explain ! We have 2 NS server : Recursive one (let’s call him SrvA) and one bebind (let’s call him SrvB, with global forwarder : SrvA ). My RPZ zone is on SrvA. If we took a little diagram, we have : User ===== > SrvB ===== > SrvA ===== > Internet If we create an A record tatata.google.com / 2.3.4.5 (that doesn’t exist at google.com) on RPZ zone : 1. On SrvA with : dig @localhost tatata.google.com we got IP : 2.3.4.5 => GREAT ! 2. On SrvB with : dig @localhost tatata.google.com (that point on SrvA), we got IP : 2.3.4.5 => WONDERFUL ! BUT If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn’t exist at biopyrenees.net) on RPZ zone : 1. On SrvA with : dig @localhost sri.biopyrenees.net, we got IP : 3.4.5.6 => YOUPI ! 2. On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN => WHATTTT ? Why for some domain, the RPZ isn’t working ? An exemple of what I wrote on my RPZ zone : tatata.google.com A 2.3.4.5 sri.biopyrenees.net A 3.4.5.6 Is it normal ? Is there a way to have the good answer on my SrvB ? With tcpdump, I see the same behavior with a record that works and with the record that doesn’t work… Thanks for your help. Nath. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users