RPZ answer me NXDOMAIN for some domain

Ondřej Surý ondrej at isc.org
Wed Mar 22 13:12:22 UTC 2023 

Hi,

look for break-dnssec in https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting

--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 22. 3. 2023, at 12:52, BONIN Nathanael <BONIN.N at mipih.fr> wrote:
> 
> 
> Hi there,
>  
> We are using RPZ zone for some times now, but recently we found a weird behavior from some domains. Let me explain !
>  
> We have 2 NS server : Recursive one (let’s call him SrvA) and one bebind (let’s call him SrvB, with global forwarder : SrvA ). My RPZ zone is on SrvA.
>  
> If we took a little diagram, we have :
>  
> User ===== > SrvB ===== > SrvA ===== > Internet
>  
> If we create an A record tatata.google.com / 2.3.4.5 (that doesn’t exist at google.com) on RPZ zone :
>  
> On SrvA with : dig @localhost tatata.google.com we got IP : 2.3.4.5 => GREAT !
> On SrvB with : dig @localhost tatata.google.com (that point on SrvA), we got IP : 2.3.4.5 => WONDERFUL !
>  
> BUT
>  
> If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn’t exist at biopyrenees.net) on RPZ zone :
>  
> On SrvA with : dig @localhost sri.biopyrenees.net, we got IP : 3.4.5.6 => YOUPI !
> On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN => WHATTTT ?
>  
> Why for some domain, the RPZ isn’t working ?
>  
> An exemple of what I wrote on my RPZ zone :
>  
> tatata.google.com                       A       2.3.4.5
> sri.biopyrenees.net                     A      3.4.5.6
>  
> Is it normal ? Is there a way to have the good answer on my SrvB ?
>  
> With tcpdump, I see the same behavior with a record that works and with the record that doesn’t work…
>  
> Thanks for your help.
>  
> Nath. 
>  
>  
>  
>  
>  
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230322/ae2c4c7c/attachment.htm>

More information about the bind-users mailing list