Hi Greg, Thank you for your answer
I use RPZ as follows :
response-policy { zone "rpz"; }
break-dnssec yes
recursive-only no
qname-wait-recurse no;
};
Regards Sami
De : Greg Choules <[email protected]>
Envoyé : mercredi 12 juillet 2023 10:07
À : RAHAL Sami SOFRECOM <[email protected]>
Cc : [email protected]
Objet : Re: extended dns error
Hi Sami.
In the "response-policy" block in your config, what (if anything) is the value
of the statement "qname-wait-recurse"?
If you do not have that set explicitly, please do "named -C" to list the
defaults and see what it is; probably "yes".
This parameter controls whether RPZ waits until successful recursion has
finished before it rewrites the response, according to the matching rule in the
RPZ zone.
If there is no successful response from recursion then RPZ has nothing to
rewrite, so your server's response to its client will be SERVFAIL.
It looks like your server cannot resolve cadyst.com/A for some reason, which
would explain what gets sent back to the client.
However, it resolves fine for me:
cadyst.com. 908 IN A 146.59.209.152
Maybe you have some other issue with your resolver?
Cheers, Greg
On Wed, 12 Jul 2023 at 09:26,
<[email protected]<mailto:[email protected]>> wrote:
Hello
Thank you for your answer yes we will plan a migration to version 9.18.
now I have activated "error log" to have the cause of an error servfail is here
is the result.
11-Jul-2023 10:36:21.146 query-errors: debug 3: client @0x7f217a2bd250
127.0.0.1#39627 (cadyst.com): view default: rpz QNAME rewrite cadyst.com stop
on qresult in rpz_rewrite(): timed out
11-Jul-2023 10:36:21.146 query-errors: debug 1: client @0x7f217a2bd250
127.0.0.1#39627 (cadyst.com): view default: query failed (timed out) for
cadyst.com/IN/A at query.c:8042
11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at
resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success
[domain:cadyst.com,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
Regards Sami
Message: 2
Date: Tue, 11 Jul 2023 12:04:15 +0200
From: Matthijs Mekking <[email protected]<mailto:[email protected]>>
To: [email protected]<mailto:[email protected]>
Subject: Re: extended dns error
Message-ID:
<[email protected]<mailto:[email protected]>>
Content-Type: text/plain; charset=UTF-8; format=flowed
Upgrade to 9.18, because 9.16 does not support extended DNS errors.
See
https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date&state=all&label_name%5B%5D=Extended%20DNS%20Errors&first_page_size=20
For which errors are supported.
Best regards, Matthijs
On 7/11/23 11:10, [email protected]<mailto:[email protected]> wrote:
> Hello ?community
>
> I want to use "extended dns error" option on my recursive dns server.
> What config changes are required to enable EDE?
>
> I am using BIND 9.16.42 as recursive server.
>
> Regards Sami
>
>
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]<mailto:[email protected]>
https://lists.isc.org/mailman/listinfo/bind-users
------------------------------
End of bind-users Digest, Vol 4279, Issue 3
*******************************************
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]<mailto:[email protected]>
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
