Package: bind9 Version: 1:9.18.19-1~deb12u1 Severity: normal When bind9/named is configured to log category rpz messages to a file, some rpz log messages are not captured and sent to the intended destination.
Example: Add the following stanza in named.conf.options: logging { channel rpzlog { file "/var/log/named/rpz.log" versions unlimited size 100m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; }; }; With this configuration for logging, most rpz log messages are properly sent to the intended file (NXDOMAIN items), but some rpz messages are not. So far, the ones that seem not to be properly captured by this log destination are rpz "passthru" lookups. Example log messages that end up in the default syslog/journald rather than the configured log file: Dec 10 01:29:41 somehostn named[327739]: client @0x7fee327a6568 127.0.0.1#35809 (some.domain.name): rpz QNAME PASSTHRU rewrite some.domain.name/A/IN via some.domain.name.rpz.local Dec 10 01:29:41 somehost named[327739]: client @0x7fee32785768 127.0.0.1#35809 (some.domain.name): rpz QNAME PASSTHRU rewrite some.domain.name/AAAA/IN via some.domain.name.rpz.local Example rpz entry that generates log entries that fail to go to the rpz category/destination: some.domain.name CNAME rpz-passthru. Example rpz entry that generates log entries that do go to the proper rpz category/destination: other.domain.name CNAME . -- System Information: Debian Release: 12.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-26-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bind9 depends on: ii adduser 3.134 ii bind9-libs 1:9.18.19-1~deb12u1 ii bind9-utils 1:9.18.19-1~deb12u1 ii debconf [debconf-2.0] 1.5.82 ii dns-root-data 2023010101 ii init-system-helpers 1.65.2 ii iproute2 6.1.0-3 ii libc6 2.36-9+deb12u3 ii libcap2 1:2.66-4 ii libfstrm0 0.6.1-1 ii libjson-c5 0.16-2 ii liblmdb0 0.9.24-1 ii libmaxminddb0 1.7.1-1 ii libnghttp2-14 1.52.0-1+deb12u1 ii libprotobuf-c1 1.4.1-1+b1 ii libssl3 3.0.11-1~deb12u2 ii libsystemd0 252.19-1~deb12u1 ii libuv1 1.44.2-1 ii libxml2 2.9.14+dfsg-1.3~deb12u1 ii lsb-base 11.6 ii netbase 6.4 ii sysvinit-utils [lsb-base] 3.06-4 ii zlib1g 1:1.2.13.dfsg-1 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind-doc <none> ii bind9-dnsutils [dnsutils] 1:9.18.19-1~deb12u1 ii dnsutils 1:9.18.19-1~deb12u1 ii resolvconf 1.91+nmu1 ii ufw 0.36.2-1 -- Configuration Files: /etc/bind/db.root [Errno 13] Permission denied: '/etc/bind/db.root' /etc/bind/named.conf changed [not included] /etc/bind/named.conf.local changed [not included] /etc/bind/named.conf.options [Errno 13] Permission denied: '/etc/bind/named.conf.options' -- debconf-show failed