Hi Greg, Thank you for your answer I use RPZ as follows : response-policy { zone "rpz"; } break-dnssec yes recursive-only no qname-wait-recurse no; }; Regards Sami
De : Greg Choules <gregchoules+bindus...@googlemail.com> Envoyé : mercredi 12 juillet 2023 10:07 À : RAHAL Sami SOFRECOM <sami.ra...@sofrecom.com> Cc : bind-users@lists.isc.org Objet : Re: extended dns error Hi Sami. In the "response-policy" block in your config, what (if anything) is the value of the statement "qname-wait-recurse"? If you do not have that set explicitly, please do "named -C" to list the defaults and see what it is; probably "yes". This parameter controls whether RPZ waits until successful recursion has finished before it rewrites the response, according to the matching rule in the RPZ zone. If there is no successful response from recursion then RPZ has nothing to rewrite, so your server's response to its client will be SERVFAIL. It looks like your server cannot resolve cadyst.com/A for some reason, which would explain what gets sent back to the client. However, it resolves fine for me: cadyst.com. 908 IN A 146.59.209.152 Maybe you have some other issue with your resolver? Cheers, Greg On Wed, 12 Jul 2023 at 09:26, <sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com>> wrote: Hello Thank you for your answer yes we will plan a migration to version 9.18. now I have activated "error log" to have the cause of an error servfail is here is the result. 11-Jul-2023 10:36:21.146 query-errors: debug 3: client @0x7f217a2bd250 127.0.0.1#39627 (cadyst.com): view default: rpz QNAME rewrite cadyst.com stop on qresult in rpz_rewrite(): timed out 11-Jul-2023 10:36:21.146 query-errors: debug 1: client @0x7f217a2bd250 127.0.0.1#39627 (cadyst.com): view default: query failed (timed out) for cadyst.com/IN/A at query.c:8042 11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success [domain:cadyst.com,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] Regards Sami Message: 2 Date: Tue, 11 Jul 2023 12:04:15 +0200 From: Matthijs Mekking <matth...@isc.org<mailto:matth...@isc.org>> To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: extended dns error Message-ID: <6f5bb3dc-ddf0-873c-c630-fa89fe260...@isc.org<mailto:6f5bb3dc-ddf0-873c-c630-fa89fe260...@isc.org>> Content-Type: text/plain; charset=UTF-8; format=flowed Upgrade to 9.18, because 9.16 does not support extended DNS errors. See https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date&state=all&label_name%5B%5D=Extended%20DNS%20Errors&first_page_size=20 For which errors are supported. Best regards, Matthijs On 7/11/23 11:10, sami.ra...@sofrecom.com<mailto:sami.ra...@sofrecom.com> wrote: > Hello ?community > > I want to use "extended dns error" option on my recursive dns server. > What config changes are required to enable EDE? > > I am using BIND 9.16.42 as recursive server. > > Regards Sami > > ------------------------------ Subject: Digest Footer _______________________________________________ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users ------------------------------ End of bind-users Digest, Vol 4279, Issue 3 ******************************************* -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users