Response Policy Zone returns servfail for time.in Trigger

Sat Apr 8 18:25:57 UTC 2023

This works great!

Thanks,
Matt

On Sat, Apr 8, 2023 at 1:35 PM Ondřej Surý <ondrej at isc.org> wrote:

> Hi,
>
> time.in is currently broken - I am guessing this is the reason why are
> you trying to rewrite the answers.
>
> RPZ does try to resolve the name first, and it fails, so there’s nothing
> to rewrite.
>
> See the documentation
> https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy on
> qname-wait-recurse and break-dnssec to turn off the default behavior.
>
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
> On 8. 4. 2023, at 16:32, Matthew Gomez <magomez96 at gmail.com> wrote:
>
> 
>
> Hi, has anyone run into this before? It looks like a bug to me.
>
>
> Summary
>
> RPZ Returns a servfail when the trigger is "time.in"
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used>BIND
> version used
>
> BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version)
>
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce>Steps
> to reproduce
>
> Configure a RPZ rule with the trigger as time.in (the action does not
> seem to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to
> resolve time.in against the bind server using dig, nslookup, etc a
> servfail is returned
>
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior>What
> is the current *bug* behavior?
>
> Bind returns a servfail when the trigger for an RPZ rule is "time.in" RPZ
> works as expected for "tim.in" and "time.ind"
>
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior>What
> is the expected *correct* behavior?
>
> Bind should return the expected action (nxdomain, A record rewrite, etc)
>
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files>Relevant
> configuration files
>
> RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; Serial
> 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache
> TTL ; @ IN NS localhost.
>
> time.in CNAME .
>
> named.conf.local snippet zone "rpz.local" { type master; file
> "/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer {
> 1.1.1.1; }; also-notify { 1.1.1.1; }; };
>
> named.conf.options snippet //enable response policy zone. response-policy
> { zone "rpz.local"; };
>
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots>Relevant
> logs and/or screenshots
>
> dig time.in @127.0.0.1
>
> ; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> time.in @127.0.0.1 ;;
> global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
> SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE:
> a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION
> SECTION: ;time.in. IN A
>
> ;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN:
> Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64
>
> LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8
> 127.0.0.1#34415 (time.in): query failed (failure) for time.in/IN/A at
> query.c:7775
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230408/8b94b5f5/attachment.htm>