On 12/11/23 18:47, Blason R wrote:
Oh I forgot to tell you that. This is BIND RPZ and all the queries are recursive.

Okay, what RPZ configuration do you have? Is it messing with the queries you're testing in any way?

What configuration do you have for RPZ related to DNSSEC?

Dig output just dies out and does not spit anything.

Please elaborate on "just dies". Does the dig abort / terminate / fail and immediately return you to a command prompt? Or does it simply take longer than you are allowing it to run?

What happens if you allow dig to run for 5-8 minutes? It should timeout sometime long before 8 minutes and print something germane to the terminal.

I think that a network sniffer while running dig tests above is a very helpful thing. #trustTheBitsOnTheWire

And this specifically i noticed with .gov and .gov.in <http://gov.in> domain. This is the reason I thing it might be related with DNSSEC.

RPZ and DNSSEC have an interesting relationship.

What happens if you do a `\dig +trace` on the name you're testing?

N.B. the leading backslash is important to disable any local shell aliasing.

Also, `which dig` to confirm that you are running the binary that you think you are running.

Also wanted to understand overall how do I debug any queries.

Something somewhere will give you diagnostically relevant data. You need to find it and understand it. Even strace / dtrace on dig will be helpful at times.

There's a possibility that there is a missing library and dig can't even run. But that's unlikely -- but not impossible -- with dig installed via standard repo commands.



--
Grant. . . .
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to