Re: Response Policy Zone returns servfail for time.in Trigger

Sat, 08 Apr 2023 12:00:43 -0700 


Hi,

You can use option qname-wait-recurse no;
to avoid for resolution waiting by Ondrej;

        response-policy {
                zone "local-redirect";
        } qname-wait-recurse no;

In this combination, you will get redirect as I did below

% dig time.in @127.0.0.1

; <<>> DiG 9.16.37 <<>> time.in @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16906
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 76c28914f71577f8010000006431b8a864cf9cf0868502f1 (good)
;; QUESTION SECTION:
;time.in.                       IN      A

;; ANSWER SECTION:
time.in.                5       IN      A       127.0.0.1

;; ADDITIONAL SECTION:
local-redirect.         1       IN      SOA

Best Regards,
Peter

On 2023-04-08 20:28, bind-users-requ...@lists.isc.org wrote:


Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."

Today's Topics:

1. Re: Response Policy Zone returns servfail for time.in Trigger
(Matthew Gomez)
2. Re: Response Policy Zone returns servfail for time.in Trigger
(Fred Morris)

----------------------------------------------------------------------

Message: 1
Date: Sat, 8 Apr 2023 14:25:57 -0400
From: Matthew Gomez <magome...@gmail.com>
To: Ond?ej Sur? <ond...@isc.org>
Cc: bind-users@lists.isc.org
Subject: Re: Response Policy Zone returns servfail for time.in Trigger
Message-ID:
<cab4mi5uz6nthr1nsr9gbck7rm9fhmgwmoxjc7zagbqm-m-u...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

This works great!

Thanks,
Matt

On Sat, Apr 8, 2023 at 1:35 PM Ond?ej Sur? <ond...@isc.org> wrote:


Hi,

time.in is currently broken - I am guessing this is the reason why are
you trying to rewrite the answers.


RPZ does try to resolve the name first, and it fails, so there?s 
nothing

to rewrite.

See the documentation

https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy 
on

qname-wait-recurse and break-dnssec to turn off the default behavior.

Ondrej
--
Ond?ej Sur? ? ISC (He/Him)


My working hours and your working hours may be different. Please do 
not

feel obligated to reply outside your normal working hours.

On 8. 4. 2023, at 16:32, Matthew Gomez <magome...@gmail.com> wrote:

?

Hi, has anyone run into this before? It looks like a bug to me.

Summary

RPZ Returns a servfail when the trigger is "time.in"
<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used>BIND
version used

BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version)

<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce>Steps
to reproduce

Configure a RPZ rule with the trigger as time.in (the action does not
seem to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to
resolve time.in against the bind server using dig, nslookup, etc a
servfail is returned

<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior>What
is the current *bug* behavior?


Bind returns a servfail when the trigger for an RPZ rule is "time.in" 
RPZ

works as expected for "tim.in" and "time.ind"

<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior>What
is the expected *correct* behavior?


Bind should return the expected action (nxdomain, A record rewrite, 
etc)


<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files>Relevant
configuration files


RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; 
Serial
604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative 
Cache

TTL ; @ IN NS localhost.

time.in CNAME .

named.conf.local snippet zone "rpz.local" { type master; file

"/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer 
{

1.1.1.1; }; also-notify { 1.1.1.1; }; };


named.conf.options snippet //enable response policy zone. 
response-policy

{ zone "rpz.local"; };

<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots>Relevant
logs and/or screenshots

dig time.in @127.0.0.1

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> time.in @127.0.0.1 ;;

global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, 
status:
SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, 
AUTHORITY: 0,

ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE:
a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION
SECTION: ;time.in. IN A


;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; 
WHEN:

Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64

LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8
127.0.0.1#34415 (time.in): query failed (failure) for time.in/IN/A at
query.c:7775
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...

URL: 
<https://lists.isc.org/pipermail/bind-users/attachments/20230408/8b94b5f5/attachment-0001.htm>


------------------------------

Message: 2
Date: Sat, 8 Apr 2023 11:28:17 -0700 (PDT)
From: Fred Morris <m3...@m3047.net>
To: bind-users@lists.isc.org
Subject: Re: Response Policy Zone returns servfail for time.in Trigger
Message-ID: <alpine.LSU.2.21.2304081041330.3187@flame.m3047>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Since one of the corner cases where RPZ is used is for mitigation of
failures of legitimate resources, I have a question...

On Sat, 8 Apr 2023, Ond?ej Sur? wrote:


time.in is currently broken - I am guessing this is the reason why are 
you trying to rewrite the answers.



RPZ does try to resolve the name first, and it fails, so there?s 
nothing to rewrite.


Does this mean that in the default configuration an e.g. A record in an
RPZ overriding brokenness in the global DNS with a QNAME override might

fail due to the same brokenness? As far as I know I've never 
experienced

that.


Going forward, what is anticipated to be the proper configuration for 
that

scenario?

Thanks...

--

Fred Morris

------------------------------

Subject: Digest Footer

_______________________________________________

ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

------------------------------

End of bind-users Digest, Vol 4222, Issue 2
*******************************************
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to