Saurabh: Not getting the answer with AAAA record. Error FORMERR resolving 'gim8.pl/AAAA/IN comes.
Tony Finch
dot at dotat.at
Tue May 22 14:58:46 UTC 2018
Saurabh Srivastava <jp.saurabh at gmail.com> wrote:
> I have faced an issue on my RPZ Server.
> I have added the A record Entry & AAAA record entry for some domains.
> The RPZ Policy is running fine.
> But the werired response that i am getting with few domains are that when I
> have quered the A record for that domain, the answer is OK.
> When I have quered for AAAA record, it is not given the answer.
> May 22 17:24:13 RPZ named[17245]: FORMERR resolving 'gim8.pl/AAAA/IN': 104.130.132.112#53
RPZ is a bit weird because it performs the query as usual, then applies
its rewrite rules. In this case, the original query fails, so there isn't
an AAAA in the answer to rewrite.
You can set the `qname-wait-recurse` option, so that RPZ will skip
recursion when it is able to rewrite a response based only on the query.
You might also want to set `break-dnssec` to make it ignore the DO bit.
If you are using `qname-wait-recurse`, you need to be careful about the
order of the policy zones listed in your RPZ clause so that it works as
expected: you should keep qname and client-ip triggers in separate zones,
and list those zones first - other RPZ rewrite rules force recursion to
happen.
The manual says the reason for this weird behaviour is: "not resolving the
requested name can leak the fact that response policy rewriting is in use
and that the name is listed in a policy zone to operators of servers for
listed names." If you are worried about that, it implies that (sadly) you
have an adversarial relationship with your users, since they are the only
people who can observe this information leak.
In my opinion your users should be able to trust you, so you should be
up-front about DNS rewriting, and you should explain to your users clearly
what your rewrite policy is. And if you have documented your policy,
there's no information leak because the information is in the documentation.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
promote human rights and open government
More information about the bind-users
mailing list