Response Policy Zone returns servfail for time.in Trigger

Matthew Gomez magomez96 at gmail.com
Sat Apr 8 14:31:50 UTC 2023 

Hi, has anyone run into this before? It looks like a bug to me.


Summary

RPZ Returns a servfail when the trigger is "time.in"
<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used>BIND
version used

BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version)
<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce>Steps
to reproduce

Configure a RPZ rule with the trigger as time.in (the action does not seem
to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to resolve
time.in against the bind server using dig, nslookup, etc a servfail is
returned
<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior>What
is the current *bug* behavior?

Bind returns a servfail when the trigger for an RPZ rule is "time.in" RPZ
works as expected for "tim.in" and "time.ind"
<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior>What
is the expected *correct* behavior?

Bind should return the expected action (nxdomain, A record rewrite, etc)
<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files>Relevant
configuration files

RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; Serial
604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache
TTL ; @ IN NS localhost.

time.in CNAME .

named.conf.local snippet zone "rpz.local" { type master; file
"/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer {
1.1.1.1; }; also-notify { 1.1.1.1; }; };

named.conf.options snippet //enable response policy zone. response-policy {
zone "rpz.local"; };
<https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots>Relevant
logs and/or screenshots

dig time.in @127.0.0.1

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> time.in @127.0.0.1 ;;
global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE:
a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION
SECTION: ;time.in. IN A

;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN:
Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64

LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8
127.0.0.1#34415 (time.in): query failed (failure) for time.in/IN/A at
query.c:7775
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230408/85408d96/attachment.htm>

More information about the bind-users mailing list