Response Policy Zone returns servfail for time.in Trigger

isc at sunnyday.sk isc at sunnyday.sk
Sat Apr 8 18:59:52 UTC 2023 


Hi,

You can use option qname-wait-recurse no;
to avoid for resolution waiting by Ondrej;

         response-policy {
                 zone "local-redirect";
         } qname-wait-recurse no;

In this combination, you will get redirect as I did below

% dig time.in @127.0.0.1

; <<>> DiG 9.16.37 <<>> time.in @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16906
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 76c28914f71577f8010000006431b8a864cf9cf0868502f1 (good)
;; QUESTION SECTION:
;time.in.                       IN      A

;; ANSWER SECTION:
time.in.                5       IN      A       127.0.0.1

;; ADDITIONAL SECTION:
local-redirect.         1       IN      SOA

Best Regards,
Peter

On 2023-04-08 20:28, bind-users-request at lists.isc.org wrote:

> Send bind-users mailing list submissions to
> bind-users at lists.isc.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
> bind-users-request at lists.isc.org
> 
> You can reach the person managing the list at
> bind-users-owner at lists.isc.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
> 
> Today's Topics:
> 
> 1. Re: Response Policy Zone returns servfail for time.in Trigger
> (Matthew Gomez)
> 2. Re: Response Policy Zone returns servfail for time.in Trigger
> (Fred Morris)
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sat, 8 Apr 2023 14:25:57 -0400
> From: Matthew Gomez <magomez96 at gmail.com>
> To: Ond?ej Sur? <ondrej at isc.org>
> Cc: bind-users at lists.isc.org
> Subject: Re: Response Policy Zone returns servfail for time.in Trigger
> Message-ID:
> <CAB4mi5uZ6NtHr1nsR9GBck7rm9FHMGWmOxjC7ZagbqM-m-uQ8w at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> This works great!
> 
> Thanks,
> Matt
> 
> On Sat, Apr 8, 2023 at 1:35 PM Ond?ej Sur? <ondrej at isc.org> wrote:
> 
>> Hi,
>> 
>> time.in is currently broken - I am guessing this is the reason why are
>> you trying to rewrite the answers.
>> 
>> RPZ does try to resolve the name first, and it fails, so there?s 
>> nothing
>> to rewrite.
>> 
>> See the documentation
>> https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy 
>> on
>> qname-wait-recurse and break-dnssec to turn off the default behavior.
>> 
>> Ondrej
>> --
>> Ond?ej Sur? ? ISC (He/Him)
>> 
>> My working hours and your working hours may be different. Please do 
>> not
>> feel obligated to reply outside your normal working hours.
>> 
>> On 8. 4. 2023, at 16:32, Matthew Gomez <magomez96 at gmail.com> wrote:
>> 
>> ?
>> 
>> Hi, has anyone run into this before? It looks like a bug to me.
>> 
>> Summary
>> 
>> RPZ Returns a servfail when the trigger is "time.in"
>> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used>BIND
>> version used
>> 
>> BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version)
>> 
>> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce>Steps
>> to reproduce
>> 
>> Configure a RPZ rule with the trigger as time.in (the action does not
>> seem to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to
>> resolve time.in against the bind server using dig, nslookup, etc a
>> servfail is returned
>> 
>> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior>What
>> is the current *bug* behavior?
>> 
>> Bind returns a servfail when the trigger for an RPZ rule is "time.in" 
>> RPZ
>> works as expected for "tim.in" and "time.ind"
>> 
>> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior>What
>> is the expected *correct* behavior?
>> 
>> Bind should return the expected action (nxdomain, A record rewrite, 
>> etc)
>> 
>> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files>Relevant
>> configuration files
>> 
>> RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; 
>> Serial
>> 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative 
>> Cache
>> TTL ; @ IN NS localhost.
>> 
>> time.in CNAME .
>> 
>> named.conf.local snippet zone "rpz.local" { type master; file
>> "/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer 
>> {
>> 1.1.1.1; }; also-notify { 1.1.1.1; }; };
>> 
>> named.conf.options snippet //enable response policy zone. 
>> response-policy
>> { zone "rpz.local"; };
>> 
>> <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots>Relevant
>> logs and/or screenshots
>> 
>> dig time.in @127.0.0.1
>> 
>> ; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> time.in @127.0.0.1 ;;
>> global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, 
>> status:
>> SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, 
>> AUTHORITY: 0,
>> ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE:
>> a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION
>> SECTION: ;time.in. IN A
>> 
>> ;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; 
>> WHEN:
>> Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64
>> 
>> LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8
>> 127.0.0.1#34415 (time.in): query failed (failure) for time.in/IN/A at
>> query.c:7775
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>> 
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> <https://lists.isc.org/pipermail/bind-users/attachments/20230408/8b94b5f5/attachment-0001.htm>
> 
> ------------------------------
> 
> Message: 2
> Date: Sat, 8 Apr 2023 11:28:17 -0700 (PDT)
> From: Fred Morris <m3047 at m3047.net>
> To: bind-users at lists.isc.org
> Subject: Re: Response Policy Zone returns servfail for time.in Trigger
> Message-ID: <alpine.LSU.2.21.2304081041330.3187 at flame.m3047>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> 
> Since one of the corner cases where RPZ is used is for mitigation of
> failures of legitimate resources, I have a question...
> 
> On Sat, 8 Apr 2023, Ond?ej Sur? wrote:
> 
>> time.in is currently broken - I am guessing this is the reason why are 
>> you trying to rewrite the answers.
>> 
>> RPZ does try to resolve the name first, and it fails, so there?s 
>> nothing to rewrite.
> 
> Does this mean that in the default configuration an e.g. A record in an
> RPZ overriding brokenness in the global DNS with a QNAME override might
> fail due to the same brokenness? As far as I know I've never 
> experienced
> that.
> 
> Going forward, what is anticipated to be the proper configuration for 
> that
> scenario?
> 
> Thanks...
> 
> --
> 
> Fred Morris
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ for more 
> information.
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> ------------------------------
> 
> End of bind-users Digest, Vol 4222, Issue 2
> *******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230408/c7750d01/attachment.htm>

More information about the bind-users mailing list