Hi Greg, Thank you for your answer
I use RPZ as follows :

response-policy { zone "rpz"; }
                               break-dnssec yes
                               recursive-only no
                               qname-wait-recurse no;
};
Regards Sami

De : Greg Choules <gregchoules+bindus...@googlemail.com>
Envoyé : mercredi 12 juillet 2023 10:07
À : RAHAL Sami SOFRECOM <sami.ra...@sofrecom.com>
Cc : bind-users@lists.isc.org
Objet : Re: extended dns error

Hi Sami.
In the "response-policy" block in your config, what (if anything) is the value 
of the statement "qname-wait-recurse"?
If you do not have that set explicitly, please do "named -C" to list the 
defaults and see what it is; probably "yes".

This parameter controls whether RPZ waits until successful recursion has 
finished before it rewrites the response, according to the matching rule in the 
RPZ zone.
If there is no successful response from recursion then RPZ has nothing to 
rewrite, so your server's response to its client will be SERVFAIL.

It looks like your server cannot resolve cadyst.com/A for some reason, which 
would explain what gets sent back to the client.
However, it resolves fine for me:
cadyst.com. 908 IN A 146.59.209.152

Maybe you have some other issue with your resolver?

Cheers, Greg

On Wed, 12 Jul 2023 at 09:26, 
<sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> wrote:
Hello
 Thank you for your answer yes we will plan a migration to version 9.18.
now I have activated "error log" to have the cause of an error servfail is here 
is the result.

11-Jul-2023 10:36:21.146 query-errors: debug 3: client @0x7f217a2bd250 
127.0.0.1#39627 (cadyst.com): view default: rpz QNAME rewrite cadyst.com stop 
on qresult in rpz_rewrite(): timed out
11-Jul-2023 10:36:21.146 query-errors: debug 1: client @0x7f217a2bd250 
127.0.0.1#39627 (cadyst.com): view default: query failed (timed out) for 
cadyst.com/IN/A at query.c:8042
11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at 
resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success 
[domain:cadyst.com,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

Regards Sami


Message: 2
Date: Tue, 11 Jul 2023 12:04:15 +0200
From: Matthijs Mekking <matth...@isc.org<mailto:matth...@isc.org>>
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: extended dns error
Message-ID: 
<6f5bb3dc-ddf0-873c-c630-fa89fe260...@isc.org<mailto:6f5bb3dc-ddf0-873c-c630-fa89fe260...@isc.org>>
Content-Type: text/plain; charset=UTF-8; format=flowed

Upgrade to 9.18, because 9.16 does not support extended DNS errors.

See

https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date&state=all&label_name%5B%5D=Extended%20DNS%20Errors&first_page_size=20

For which errors are supported.

Best regards, Matthijs

On 7/11/23 11:10, sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com> wrote:
> Hello ?community
>
> I want to use "extended dns error" option on my recursive dns server.
> What config changes are required to enable EDE?
>
> I am using BIND 9.16.42 as recursive server.
>
> Regards Sami
>
>


------------------------------

Subject: Digest Footer

_______________________________________________
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users


------------------------------

End of bind-users Digest, Vol 4279, Issue 3
*******************************************
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to