On 8 March 2013 00:49, Vernon Schryver <v...@rhyolite.com> wrote: > The RPZ log captures only information about response policy zone > rewriting. A response policy zone is the same as every other local > zone, so most problems with the zone itself are logged elsewhere. > > Depending on your ACLs, you can probe a response policy zone with `dig` > or other tools just as you would any other local zone. Because I > also have a local policy zone named drop.rpz.spamhaus.org, > `dig 1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org` > gives me an ANSWER section of > 1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org. 300 IN CNAME . > I chose that domain after looking at > named-compilezone -j -f raw -F text -o- drop.rpz.spamhaus.org > drop.rpz.spamhaus.org | head -4 > > I would try to diagnose this problem the same as other zone transfer > problems. If a simple TCP request like > `dig +vc 1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org @199.168.90.51` > fails, then I'd look for the usual TCP problems such as firewalls. > I'd also check that Spamhaus has authorized the local IP address that > I'm actually using, perhaps as opposed to the IP address I requested. > > However, in recent days I have seen manual attempts to resolve > individual zen.spamhaus.org domains time out. There are also a few > 'timed out' entries in my current xfer log including at 25-Feb-2013 09:11, > 07-Mar-2013 22:02, 07-Mar-2013 23:17, and 08-Mar-2013 00:17 GMT. > There are zillions of successful transfers, and the last was at > 07-Mar-2013 23:11.
I'm having the same issues with zone transfers timing out, but I can perform queries directly to the RPZ servers, so there is nothing wrong from the network/firewall side of things. sjcarr@elmo:~ $ dig +vc 1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org @199.168.90.51 ; <<>> DiG 9.8.3-P1 <<>> +vc 1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org @199.168.90.51 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13663 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org. IN A ;; ANSWER SECTION: 1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org. 0 IN CNAME . ;; Query time: 100 msec ;; SERVER: 199.168.90.51#53(199.168.90.51) ;; WHEN: Fri Mar 8 00:56:46 2013 ;; MSG SIZE rcvd: 77 I'm currently in discussion with Spamhaus RPZ team but so far they can't seem to find any problems on their side. Steve _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
