Hi Nath. What have you got on SrvB for biopyrenees.net, or net? On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the actual address rather than "localhost") and paste the full result here. I am interested in flags and the query time right now.
Cheers, Greg On Wed, 22 Mar 2023 at 11:52, BONIN Nathanael <boni...@mipih.fr> wrote: > Hi there, > > > > We are using RPZ zone for some times now, but recently we found a weird > behavior from some domains. Let me explain ! > > > > We have 2 NS server : Recursive one (let’s call him SrvA) and one bebind > (let’s call him SrvB, with global forwarder : SrvA ). My RPZ zone is on > SrvA. > > > > If we took a little diagram, we have : > > > > User ===== > SrvB ===== > SrvA ===== > Internet > > > > If we create an A record tatata.google.com / 2.3.4.5 (that doesn’t exist > at google.com) on RPZ zone : > > > > - On SrvA with : dig @localhost tatata.google.com we got IP : 2.3.4.5 > => GREAT ! > - On SrvB with : dig @localhost tatata.google.com (that point on > SrvA), we got IP : 2.3.4.5 => WONDERFUL ! > > > > BUT > > > > If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn’t > exist at biopyrenees.net) on RPZ zone : > > > > - On SrvA with : dig @localhost sri.biopyrenees.net, we got IP : > 3.4.5.6 => YOUPI ! > - On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN > => WHATTTT ? > > > > Why for some domain, the RPZ isn’t working ? > > > > An exemple of what I wrote on my RPZ zone : > > > > tatata.google.com A 2.3.4.5 > > sri.biopyrenees.net A 3.4.5.6 > > > > Is it normal ? Is there a way to have the good answer on my SrvB ? > > > > With tcpdump, I see the same behavior with a record that works and with > the record that doesn’t work… > > > > Thanks for your help. > > > > Nath. > > > > > > > > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users