Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?
Vernon Schryver
vjs at rhyolite.com
Fri Mar 8 00:49:02 UTC 2013
> From: pgbind9 at ml1.net
> i've registered my nameserver IP with spamhaus for use of its RPZ list;
> i've been approved for access.
> 07-Mar-2013 13:26:25.657 xfer-in: error: transfer of
> 'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.51#53:
> failed to connect: timed out
> the RPZ log @ /var/log/bind-rpz.log is created on bind start, but is
> completely empty.
The RPZ log captures only information about response policy zone
rewriting. A response policy zone is the same as every other local
zone, so most problems with the zone itself are logged elsewhere.
Depending on your ACLs, you can probe a response policy zone with `dig`
or other tools just as you would any other local zone. Because I
also have a local policy zone named drop.rpz.spamhaus.org,
`dig 1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org`
gives me an ANSWER section of
1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org. 300 IN CNAME .
I chose that domain after looking at
named-compilezone -j -f raw -F text -o- drop.rpz.spamhaus.org drop.rpz.spamhaus.org | head -4
I would try to diagnose this problem the same as other zone transfer
problems. If a simple TCP request like
`dig +vc 1.68.10.103.in-addr.arpa.drop.rpz.spamhaus.org @199.168.90.51`
fails, then I'd look for the usual TCP problems such as firewalls.
I'd also check that Spamhaus has authorized the local IP address that
I'm actually using, perhaps as opposed to the IP address I requested.
However, in recent days I have seen manual attempts to resolve
individual zen.spamhaus.org domains time out. There are also a few
'timed out' entries in my current xfer log including at 25-Feb-2013 09:11,
07-Mar-2013 22:02, 07-Mar-2013 23:17, and 08-Mar-2013 00:17 GMT.
There are zillions of successful transfers, and the last was at
07-Mar-2013 23:11.
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list