Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?

Steven Carr sjcarr at
Fri Mar 8 01:04:35 UTC 2013

On 8 March 2013 00:49, Vernon Schryver <vjs at> wrote:
> The RPZ log captures only information about response policy zone
> rewriting.  A response policy zone is the same as every other local
> zone, so most problems with the zone itself are logged elsewhere.
> Depending on your ACLs, you can probe a response policy zone with `dig`
> or other tools just as you would any other local zone.  Because I
> also have a local policy zone named,
>     `dig`
> gives me an ANSWER section of
> 300 IN CNAME .
> I chose that domain after looking at
>     named-compilezone -j -f raw -F text -o- | head -4
> I would try to diagnose this problem the same as other zone transfer
> problems.  If a simple TCP request like
>    `dig +vc @`
> fails, then I'd look for the usual TCP problems such as firewalls.
> I'd also check that Spamhaus has authorized the local IP address that
> I'm actually using, perhaps as opposed to the IP address I requested.
> However, in recent days I have seen manual attempts to resolve
> individual domains time out.  There are also a few
> 'timed out' entries in my current xfer log including at 25-Feb-2013 09:11,
> 07-Mar-2013 22:02, 07-Mar-2013 23:17, and 08-Mar-2013 00:17 GMT.
> There are zillions of successful transfers, and the last was at
> 07-Mar-2013 23:11.

I'm having the same issues with zone transfers timing out, but I can
perform queries directly to the RPZ servers, so there is nothing wrong
from the network/firewall side of things.

sjcarr at elmo:~ $ dig +vc

; <<>> DiG 9.8.3-P1 <<>> +vc @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13663
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;	IN A


;; Query time: 100 msec
;; WHEN: Fri Mar  8 00:56:46 2013
;; MSG SIZE  rcvd: 77

I'm currently in discussion with Spamhaus RPZ team but so far they
can't seem to find any problems on their side.


More information about the bind-users mailing list