Re: RPZ answer me NXDOMAIN for some domain

Wed, 22 Mar 2023 06:13:12 -0700 

Hi,

look for break-dnssec in 
https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting

--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 22. 3. 2023, at 12:52, BONIN Nathanael <boni...@mipih.fr> wrote:
> 
> 
> Hi there,
>  
> We are using RPZ zone for some times now, but recently we found a weird 
> behavior from some domains. Let me explain !
>  
> We have 2 NS server : Recursive one (let’s call him SrvA) and one bebind 
> (let’s call him SrvB, with global forwarder : SrvA ). My RPZ zone is on SrvA.
>  
> If we took a little diagram, we have :
>  
> User ===== > SrvB ===== > SrvA ===== > Internet
>  
> If we create an A record tatata.google.com / 2.3.4.5 (that doesn’t exist at 
> google.com) on RPZ zone :
>  
> On SrvA with : dig @localhost tatata.google.com we got IP : 2.3.4.5 => GREAT !
> On SrvB with : dig @localhost tatata.google.com (that point on SrvA), we got 
> IP : 2.3.4.5 => WONDERFUL !
>  
> BUT
>  
> If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn’t 
> exist at biopyrenees.net) on RPZ zone :
>  
> On SrvA with : dig @localhost sri.biopyrenees.net, we got IP : 3.4.5.6 => 
> YOUPI !
> On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN => 
> WHATTTT ?
>  
> Why for some domain, the RPZ isn’t working ?
>  
> An exemple of what I wrote on my RPZ zone :
>  
> tatata.google.com                       A       2.3.4.5
> sri.biopyrenees.net                     A      3.4.5.6
>  
> Is it normal ? Is there a way to have the good answer on my SrvB ?
>  
> With tcpdump, I see the same behavior with a record that works and with the 
> record that doesn’t work…
>  
> Thanks for your help.
>  
> Nath. 
>  
>  
>  
>  
>  
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to