Response Policy Zone returns servfail for time.in Trigger

[Fred Morris]

Since one of the corner cases where RPZ is used is for mitigation of 
failures of legitimate resources, I have a question...

On Sat, 8 Apr 2023, Ondřej Surý wrote:
> time.in is currently broken - I am guessing this is the reason why are you trying to rewrite the answers.
> 
> RPZ does try to resolve the name first, and it fails, so there’s nothing to rewrite.

Does this mean that in the default configuration an e.g. A record in an 
RPZ overriding brokenness in the global DNS with a QNAME override might 
fail due to the same brokenness? As far as I know I've never experienced 
that.

Going forward, what is anticipated to be the proper configuration for that 
scenario?

Thanks...

--

Fred Morris