This works great! Thanks, Matt
On Sat, Apr 8, 2023 at 1:35 PM Ondřej Surý <ond...@isc.org> wrote: > Hi, > > time.in is currently broken - I am guessing this is the reason why are > you trying to rewrite the answers. > > RPZ does try to resolve the name first, and it fails, so there’s nothing > to rewrite. > > See the documentation > https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy > on > qname-wait-recurse and break-dnssec to turn off the default behavior. > > Ondrej > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > On 8. 4. 2023, at 16:32, Matthew Gomez <magome...@gmail.com> wrote: > > > > Hi, has anyone run into this before? It looks like a bug to me. > > > Summary > > RPZ Returns a servfail when the trigger is "time.in" > <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used>BIND > version used > > BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) > > <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce>Steps > to reproduce > > Configure a RPZ rule with the trigger as time.in (the action does not > seem to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to > resolve time.in against the bind server using dig, nslookup, etc a > servfail is returned > > <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior>What > is the current *bug* behavior? > > Bind returns a servfail when the trigger for an RPZ rule is "time.in" RPZ > works as expected for "tim.in" and "time.ind" > > <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior>What > is the expected *correct* behavior? > > Bind should return the expected action (nxdomain, A record rewrite, etc) > > <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files>Relevant > configuration files > > RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; Serial > 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache > TTL ; @ IN NS localhost. > > time.in CNAME . > > named.conf.local snippet zone "rpz.local" { type master; file > "/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer { > 1.1.1.1; }; also-notify { 1.1.1.1; }; }; > > named.conf.options snippet //enable response policy zone. response-policy > { zone "rpz.local"; }; > > <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots>Relevant > logs and/or screenshots > > dig time.in @127.0.0.1 > > ; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> time.in @127.0.0.1 ;; > global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: > SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, > ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: > a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION > SECTION: ;time.in. IN A > > ;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: > Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64 > > LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8 > 127.0.0.1#34415 (time.in): query failed (failure) for time.in/IN/A at > query.c:7775 > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
