I would certainly recommend reading the docs… especially the sections on break-dnssec and qname-wait-recurse.
-- Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. Admittedly, since I'm writing software to do "off label" stuff with DNS I make mistakes. But I have seen things along this line (interactions between RPZ and regular resolution in the context of "broken" domains): in some cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing RPZ.I'll try to pay more attention and see if I can isolate a test case if the problem recurs. (I was kind of hoping someone would have a solution!)--Fred MorrisOn Fri, 16 Jun 2023, Crist Clark wrote:That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ
action. Something is wrong with your configuration.
On Fri, Jun 16, 2023 at 1:39 PM <[email protected]> wrote:
For monitoring reasons I try to change the return code of a domain name
from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of
BIND9.16.42 as follows:
example.com IN CNAME.
*.example.com IN CNAME .
But it still doesn't work, I still have the message " SERVFAIL", is it
feasible or not please ?
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing list[email protected]https://lists.isc.org/mailman/listinfo/bind-users
|
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
