<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Hi,<div><br></div><div>look for break-dnssec in <a href="https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting">https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting</a></div><div><br></div><div><div style="display: block;" class=""><div style="display: block;" class="">--</div></div><div dir="ltr">Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 22. 3. 2023, at 12:52, BONIN Nathanael <BONIN.N@mipih.fr> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style>@font-face { font-family: Wingdings; }
@font-face { font-family: "Cambria Math"; }
@font-face { font-family: Calibri; }
p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; }
a:link, span.MsoHyperlink { color: rgb(5, 99, 193); text-decoration: underline; }
a:visited, span.MsoHyperlinkFollowed { color: rgb(149, 79, 114); text-decoration: underline; }
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph { margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; }
p.msonormal0, li.msonormal0, div.msonormal0 { margin-right: 0cm; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; }
span.EmailStyle19 { font-family: Calibri, sans-serif; color: windowtext; }
span.EmailStyle20 { font-family: Calibri, sans-serif; color: windowtext; }
.MsoChpDefault { font-size: 10pt; }
@page WordSection1 { size: 612pt 792pt; margin: 70.85pt; }
div.WordSection1 { page: WordSection1; }
ol { margin-bottom: 0cm; }
ul { margin-bottom: 0cm; }</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi there,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We are using RPZ zone for some times now, but recently we found a weird behavior from some domains. Let me explain !<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have 2 NS server : Recursive one (let’s call him SrvA) and one bebind (let’s call him SrvB, with global forwarder : SrvA ). My RPZ zone is on SrvA.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If we took a little diagram, we have :<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">User ===== > SrvB ===== > SrvA ===== > Internet<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If we create an A record tatata.google.com / 2.3.4.5 (that doesn’t exist at google.com) on RPZ zone :<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l2 level1 lfo3">On SrvA with : dig @localhost tatata.google.com we got IP : 2.3.4.5 => GREAT !<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l2 level1 lfo3">On SrvB with : dig @localhost tatata.google.com (that point on SrvA), we got IP : 2.3.4.5 => WONDERFUL !
<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">BUT<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If we create another A record sri.biopyrenees.net / 3.4.5.6 (that doesn’t exist at biopyrenees.net) on RPZ zone :<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l2 level1 lfo3">On SrvA with : dig @localhost sri.biopyrenees.net, we got IP : 3.4.5.6 => YOUPI !<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l2 level1 lfo3">On SrvB with : dig @localhost sri.biopyrenees.net, we got : NXDOMAIN => WHATTTT ?<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Why for some domain, the RPZ isn’t working ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">An exemple of what I wrote on my RPZ zone :<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">tatata.google.com A 2.3.4.5<o:p></o:p></p>
<p class="MsoNormal">sri.biopyrenees.net A 3.4.5.6<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is it normal ? Is there a way to have the good answer on my SrvB ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">With tcpdump, I see the same behavior with a record that works and with the record that doesn’t work…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for your help.<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR">Nath. </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:FR"> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<span>-- </span><br><span>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></div></body></html>