Hi, has anyone run into this before? It looks like a bug to me.
Summary RPZ Returns a servfail when the trigger is "time.in" <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used>BIND version used BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce>Steps to reproduce Configure a RPZ rule with the trigger as time.in (the action does not seem to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to resolve time.in against the bind server using dig, nslookup, etc a servfail is returned <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior>What is the current *bug* behavior? Bind returns a servfail when the trigger for an RPZ rule is "time.in" RPZ works as expected for "tim.in" and "time.ind" <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior>What is the expected *correct* behavior? Bind should return the expected action (nxdomain, A record rewrite, etc) <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files>Relevant configuration files RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache TTL ; @ IN NS localhost. time.in CNAME . named.conf.local snippet zone "rpz.local" { type master; file "/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer { 1.1.1.1; }; also-notify { 1.1.1.1; }; }; named.conf.options snippet //enable response policy zone. response-policy { zone "rpz.local"; }; <https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots>Relevant logs and/or screenshots dig time.in @127.0.0.1 ; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> time.in @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION SECTION: ;time.in. IN A ;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64 LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8 127.0.0.1#34415 (time.in): query failed (failure) for time.in/IN/A at query.c:7775
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
