Re: RPZ answer me NXDOMAIN for some domain

2023-03-22 Thread Mark Andrews
'break-dnssec no' looks at the DO flag and whether the data to be returned is signed. If DO is 1 and the data is signed then the answer is not modified. If DO is 0 then it is modified as the client cannot be performing DNSSEC validation on the response and be expecting it to succeed for respons

RE: RPZ answer me NXDOMAIN for some domain

2023-03-22 Thread BONIN Nathanael
> That's something that's impossible to answer without seeing the full > configuration (named-checkconf -px). The full config here : https://pastebin.com/CwWFq73G Thanks. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel

Re: RPZ answer me NXDOMAIN for some domain

2023-03-22 Thread Ondřej Surý
> On 22. 3. 2023, at 14:26, BONIN Nathanael wrote: > > If I add break-dnssec yes ; in my bind conf, it seems to works like I wanted > to !!! Thanks. +1 > But what I don’t understand is why, when I use directly SrvA (server that > have RPZ zone), it works ? That's something that's impossible

RE: RPZ answer me NXDOMAIN for some domain

2023-03-22 Thread BONIN Nathanael
j Surý Envoyé : mercredi 22 mars 2023 14:12 À : BONIN Nathanael Cc : bind-users@lists.isc.org Objet : Re: RPZ answer me NXDOMAIN for some domain Hi, look for break-dnssec in https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting -- Ondřej Surý — ISC (He/Him) My w

Re: RPZ answer me NXDOMAIN for some domain

2023-03-22 Thread Greg Choules via bind-users
Hi Nath. What have you got on SrvB for biopyrenees.net, or net? On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the actual address rather than "localhost") and paste the full result here. I am interested in flags and the query time right now. Cheers, Greg On Wed, 22 Mar 2023 a

Re: RPZ answer me NXDOMAIN for some domain

2023-03-22 Thread Ondřej Surý
Hi, look for break-dnssec in https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 22. 3. 20

RPZ answer me NXDOMAIN for some domain

2023-03-22 Thread BONIN Nathanael
Hi there, We are using RPZ zone for some times now, but recently we found a weird behavior from some domains. Let me explain ! We have 2 NS server : Recursive one (let's call him SrvA) and one bebind (let's call him SrvB, with global forwarder : SrvA ). My RPZ zone is on SrvA. If we took a lit