RPZ answer me NXDOMAIN for some domain
Mark Andrews
marka at isc.org
Wed Mar 22 21:29:24 UTC 2023
'break-dnssec no' looks at the DO flag and whether the data to be returned is signed. If DO is 1 and the data is signed
then the answer is not modified. If DO is 0 then it is modified as the client cannot be performing DNSSEC validation on
the response and be expecting it to succeed for responses from signed zones.
‘break-dnssec yes’ ignores the DO flag and whether the data is signed.
This is designed to allow forwarded requests to get DNSSEC protection as you can have the policy on multiple servers in
the chain to server plain clients.
> On 23 Mar 2023, at 00:28, Ondřej Surý <ondrej at isc.org> wrote:
>
>
>> On 22. 3. 2023, at 14:26, BONIN Nathanael <BONIN.N at mipih.fr> wrote:
>>
>> If I add break-dnssec yes ; in my bind conf, it seems to works like I wanted to !!! Thanks.
>
> +1
>
>> But what I don’t understand is why, when I use directly SrvA (server that have RPZ zone), it works ?
>
> That's something that's impossible to answer without seeing the full configuration (named-checkconf -px).
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list