extended dns error
sami.rahal at sofrecom.com
sami.rahal at sofrecom.com
Wed Jul 12 11:58:35 UTC 2023
Hi Greg, Thank you for your answer
I use RPZ as follows :
response-policy { zone "rpz"; }
break-dnssec yes
recursive-only no
qname-wait-recurse no;
};
Regards Sami
De : Greg Choules <gregchoules+bindusers at googlemail.com>
Envoyé : mercredi 12 juillet 2023 10:07
À : RAHAL Sami SOFRECOM <sami.rahal at sofrecom.com>
Cc : bind-users at lists.isc.org
Objet : Re: extended dns error
Hi Sami.
In the "response-policy" block in your config, what (if anything) is the value of the statement "qname-wait-recurse"?
If you do not have that set explicitly, please do "named -C" to list the defaults and see what it is; probably "yes".
This parameter controls whether RPZ waits until successful recursion has finished before it rewrites the response, according to the matching rule in the RPZ zone.
If there is no successful response from recursion then RPZ has nothing to rewrite, so your server's response to its client will be SERVFAIL.
It looks like your server cannot resolve cadyst.com/A for some reason, which would explain what gets sent back to the client.
However, it resolves fine for me:
cadyst.com. 908 IN A 146.59.209.152
Maybe you have some other issue with your resolver?
Cheers, Greg
On Wed, 12 Jul 2023 at 09:26, <sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com>> wrote:
Hello
Thank you for your answer yes we will plan a migration to version 9.18.
now I have activated "error log" to have the cause of an error servfail is here is the result.
11-Jul-2023 10:36:21.146 query-errors: debug 3: client @0x7f217a2bd250 127.0.0.1#39627 (cadyst.com): view default: rpz QNAME rewrite cadyst.com stop on qresult in rpz_rewrite(): timed out
11-Jul-2023 10:36:21.146 query-errors: debug 1: client @0x7f217a2bd250 127.0.0.1#39627 (cadyst.com): view default: query failed (timed out) for cadyst.com/IN/A at query.c:8042
11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success [domain:cadyst.com,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
Regards Sami
Message: 2
Date: Tue, 11 Jul 2023 12:04:15 +0200
From: Matthijs Mekking <matthijs at isc.org<mailto:matthijs at isc.org>>
To: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: Re: extended dns error
Message-ID: <6f5bb3dc-ddf0-873c-c630-fa89fe260c96 at isc.org<mailto:6f5bb3dc-ddf0-873c-c630-fa89fe260c96 at isc.org>>
Content-Type: text/plain; charset=UTF-8; format=flowed
Upgrade to 9.18, because 9.16 does not support extended DNS errors.
See
https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date&state=all&label_name%5B%5D=Extended%20DNS%20Errors&first_page_size=20
For which errors are supported.
Best regards, Matthijs
On 7/11/23 11:10, sami.rahal at sofrecom.com<mailto:sami.rahal at sofrecom.com> wrote:
> Hello ?community
>
> I want to use "extended dns error" option on my recursive dns server.
> What config changes are required to enable EDE?
>
> I am using BIND 9.16.42 as recursive server.
>
> Regards Sami
>
>
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
------------------------------
End of bind-users Digest, Vol 4279, Issue 3
*******************************************
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230712/c0ccebce/attachment-0001.htm>
More information about the bind-users
mailing list