extended dns error
Greg Choules
gregchoules+bindusers at googlemail.com
Wed Jul 12 09:07:26 UTC 2023
Hi Sami.
In the "response-policy" block in your config, what (if anything) is the
value of the statement "qname-wait-recurse"?
If you do not have that set explicitly, please do "named -C" to list the
defaults and see what it is; probably "yes".
This parameter controls whether RPZ waits until successful recursion has
finished before it rewrites the response, according to the matching rule in
the RPZ zone.
If there is no successful response from recursion then RPZ has nothing to
rewrite, so your server's response to its client will be SERVFAIL.
It looks like your server cannot resolve cadyst.com/A for some reason,
which would explain what gets sent back to the client.
However, it resolves fine for me:
cadyst.com. 908 IN A 146.59.209.152
Maybe you have some other issue with your resolver?
Cheers, Greg
On Wed, 12 Jul 2023 at 09:26, <sami.rahal at sofrecom.com> wrote:
> Hello
> Thank you for your answer yes we will plan a migration to version 9.18.
> now I have activated "error log" to have the cause of an error servfail is
> here is the result.
>
> 11-Jul-2023 10:36:21.146 query-errors: debug 3: client @0x7f217a2bd250
> 127.0.0.1#39627 (cadyst.com): view default: rpz QNAME rewrite cadyst.com
> stop on qresult in rpz_rewrite(): timed out
> 11-Jul-2023 10:36:21.146 query-errors: debug 1: client @0x7f217a2bd250
> 127.0.0.1#39627 (cadyst.com): view default: query failed (timed out) for
> cadyst.com/IN/A at query.c:8042
> 11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at
> resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success [domain:
> cadyst.com
> ,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
>
> Regards Sami
>
>
> Message: 2
> Date: Tue, 11 Jul 2023 12:04:15 +0200
> From: Matthijs Mekking <matthijs at isc.org>
> To: bind-users at lists.isc.org
> Subject: Re: extended dns error
> Message-ID: <6f5bb3dc-ddf0-873c-c630-fa89fe260c96 at isc.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Upgrade to 9.18, because 9.16 does not support extended DNS errors.
>
> See
>
>
> https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date&state=all&label_name%5B%5D=Extended%20DNS%20Errors&first_page_size=20
>
> For which errors are supported.
>
> Best regards, Matthijs
>
> On 7/11/23 11:10, sami.rahal at sofrecom.com wrote:
> > Hello ?community
> >
> > I want to use "extended dns error" option on my recursive dns server.
> > What config changes are required to enable EDE?
> >
> > I am using BIND 9.16.42 as recursive server.
> >
> > Regards Sami
> >
> >
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
> ------------------------------
>
> End of bind-users Digest, Vol 4279, Issue 3
> *******************************************
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230712/54fec33d/attachment.htm>
More information about the bind-users
mailing list