On 12/11/23 18:47, Blason R wrote:
Oh I forgot to tell you that. This is BIND RPZ and all the queries are
recursive.
Okay, what RPZ configuration do you have? Is it messing with the
queries you're testing in any way?
What configuration do you have for RPZ related to DNSSEC?
Dig output just dies out and does not spit anything.
Please elaborate on "just dies". Does the dig abort / terminate / fail
and immediately return you to a command prompt? Or does it simply take
longer than you are allowing it to run?
What happens if you allow dig to run for 5-8 minutes? It should timeout
sometime long before 8 minutes and print something germane to the terminal.
I think that a network sniffer while running dig tests above is a very
helpful thing. #trustTheBitsOnTheWire
And this specifically i noticed with .gov and .gov.in <http://gov.in>
domain. This is the reason I thing it might be related with DNSSEC.
RPZ and DNSSEC have an interesting relationship.
What happens if you do a `\dig +trace` on the name you're testing?
N.B. the leading backslash is important to disable any local shell aliasing.
Also, `which dig` to confirm that you are running the binary that you
think you are running.
Also wanted to understand overall how do I debug any queries.
Something somewhere will give you diagnostically relevant data. You
need to find it and understand it. Even strace / dtrace on dig will be
helpful at times.
There's a possibility that there is a missing library and dig can't even
run. But that's unlikely -- but not impossible -- with dig installed
via standard repo commands.
--
Grant. . . .
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
