On 12/11/23 18:47, Blason R wrote:
Oh I forgot to tell you that. This is BIND RPZ and all the queries are recursive.
Okay, what RPZ configuration do you have?  Is it messing with the 
queries you're testing in any way?
What configuration do you have for RPZ related to DNSSEC?

Dig output just dies out and does not spit anything.
Please elaborate on "just dies".  Does the dig abort / terminate / fail 
and immediately return you to a command prompt?  Or does it simply take 
longer than you are allowing it to run?
What happens if you allow dig to run for 5-8 minutes?  It should timeout 
sometime long before 8 minutes and print something germane to the terminal.
I think that a network sniffer while running dig tests above is a very 
helpful thing.  #trustTheBitsOnTheWire
And this specifically i noticed with .gov and .gov.in <http://gov.in> domain. This is the reason I thing it might be related with DNSSEC.
RPZ and DNSSEC have an interesting relationship.

What happens if you do a `\dig +trace` on the name you're testing?

N.B. the leading backslash is important to disable any local shell aliasing.

Also, `which dig` to confirm that you are running the binary that you think you are running.
Also wanted to understand overall how do I debug any queries.
Something somewhere will give you diagnostically relevant data.  You 
need to find it and understand it.  Even strace / dtrace on dig will be 
helpful at times.
There's a possibility that there is a missing library and dig can't even 
run.  But that's unlikely -- but not impossible -- with dig installed 
via standard repo commands.


--
Grant. . . .
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to