<div dir="auto">This works great!</div><div dir="auto"><br></div><div dir="auto">Thanks,</div><div dir="auto">Matt</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 8, 2023 at 1:35 PM Ondřej Surý <<a href="mailto:ondrej@isc.org">ondrej@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Hi,<div><br></div><div><a href="http://time.in" target="_blank">time.in</a> is currently broken - I am guessing this is the reason why are you trying to rewrite the answers.</div><div><br></div><div>RPZ does try to resolve the name first, and it fails, so there’s nothing to rewrite.</div><div><br></div><div>See the documentation <a href="https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy" target="_blank">https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy</a> on qname-wait-recurse and break-dnssec to turn off the default behavior.<br><br>Ondrej<br><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 8. 4. 2023, at 16:32, Matthew Gomez <<a href="mailto:magomez96@gmail.com" target="_blank">magomez96@gmail.com</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"></div></blockquote></div></div><div dir="auto"><div><blockquote type="cite"><div dir="ltr"><div><span style="color:rgb(49,49,49);font-family:-apple-system,"Helvetica Neue";word-spacing:1px">Hi, has anyone run into this before? It looks like a bug to me. </span><div dir="auto" style="color:rgb(49,49,49);font-family:-apple-system,"Helvetica Neue";word-spacing:1px"><br></div><div dir="auto" style="color:rgb(49,49,49);font-family:-apple-system,"Helvetica Neue";word-spacing:1px"><br></div><div dir="auto" style="color:rgb(49,49,49);font-family:-apple-system,"Helvetica Neue";word-spacing:1px"><h3 dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;line-height:1.2;font-size:1.3rem;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56)">Summary</h3><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">RPZ Returns a servfail when the trigger is "<a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a>"</p><h3 dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:24px 0px 16px;line-height:1.2;font-size:1.3rem;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56)"><a id="m_-3168190932018571453m_185127158916683670m_-6983472889523874382user-content-bind-version-used" href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used" aria-hidden="true" style="color:rgb(31,117,203);box-sizing:border-box;font-variant-ligatures:none;text-decoration:none;margin-top:0px;float:left;outline:currentcolor" target="_blank"></a>BIND version used</h3><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version)</p><h3 dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:24px 0px 16px;line-height:1.2;font-size:1.3rem;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56)"><a id="m_-3168190932018571453m_185127158916683670m_-6983472889523874382user-content-steps-to-reproduce" href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce" aria-hidden="true" style="color:rgb(31,117,203);box-sizing:border-box;font-variant-ligatures:none;text-decoration:none;margin-top:0px;float:left;outline:currentcolor" target="_blank"></a>Steps to reproduce</h3><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">Configure a RPZ rule with the trigger as <a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a> (the action does not seem to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to resolve <a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a> against the bind server using dig, nslookup, etc a servfail is returned</p><h3 dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:24px 0px 16px;line-height:1.2;font-size:1.3rem;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);height:auto"><a id="m_-3168190932018571453m_185127158916683670m_-6983472889523874382user-content-what-is-the-current-bug-behavior" href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior" aria-hidden="true" style="color:rgb(31,117,203);box-sizing:border-box;font-variant-ligatures:none;text-decoration:none;margin-top:0px;float:left;outline:currentcolor" target="_blank"></a>What is the current <em style="box-sizing:border-box;font-variant-ligatures:none;font-size:1.3rem">bug</em> behavior?</h3><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">Bind returns a servfail when the trigger for an RPZ rule is "<a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a>" RPZ works as expected for "<a href="http://tim.in/" style="font-size:1rem" target="_blank">tim.in</a>" and "time.ind"</p><h3 dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:24px 0px 16px;line-height:1.2;font-size:1.3rem;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);height:auto"><a id="m_-3168190932018571453m_185127158916683670m_-6983472889523874382user-content-what-is-the-expected-correct-behavior" href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior" aria-hidden="true" style="color:rgb(31,117,203);box-sizing:border-box;font-variant-ligatures:none;text-decoration:none;margin-top:0px;float:left;outline:currentcolor" target="_blank"></a>What is the expected <em style="box-sizing:border-box;font-variant-ligatures:none;font-size:1.3rem">correct</em> behavior?</h3><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">Bind should return the expected action (nxdomain, A record rewrite, etc)</p><h3 dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:24px 0px 16px;line-height:1.2;font-size:1.3rem;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56)"><a id="m_-3168190932018571453m_185127158916683670m_-6983472889523874382user-content-relevant-configuration-files" href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files" aria-hidden="true" style="color:rgb(31,117,203);box-sizing:border-box;font-variant-ligatures:none;text-decoration:none;margin-top:0px;float:left;outline:currentcolor" target="_blank"></a>Relevant configuration files</h3><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache TTL ; @ IN NS localhost.</p><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem"><a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a> CNAME .</p><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">named.conf.local snippet zone "rpz.local" { type master; file "/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer { 1.1.1.1; }; also-notify { 1.1.1.1; }; };</p><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">named.conf.options snippet //enable response policy zone. response-policy { zone "rpz.local"; };</p><h3 dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:24px 0px 16px;line-height:1.2;font-size:1.3rem;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56)"><a id="m_-3168190932018571453m_185127158916683670m_-6983472889523874382user-content-relevant-logs-andor-screenshots" href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots" aria-hidden="true" style="color:rgb(31,117,203);box-sizing:border-box;font-variant-ligatures:none;text-decoration:none;margin-top:0px;float:left;outline:currentcolor" target="_blank"></a>Relevant logs and/or screenshots</h3><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">dig <a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a> @<a href="http://127.0.0.1/" style="font-size:1rem" target="_blank">127.0.0.1</a></p><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> <a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a> @<a href="http://127.0.0.1/" style="font-size:1rem" target="_blank">127.0.0.1</a> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</p><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION SECTION: ;<a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a>. IN A</p><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64</p><p dir="auto" style="text-align:initial;box-sizing:border-box;font-variant-ligatures:none;margin:0px 0px 16px;font-family:"GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";color:rgb(51,50,56);font-size:1rem">LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8 127.0.0.1#34415 (<a href="http://time.in/" style="font-size:1rem" target="_blank">time.in</a>): query failed (failure) for <a href="http://time.in/IN/A" style="font-size:1rem" target="_blank">time.in/IN/A</a> at query.c:7775</p></div>
</div>
<span>-- </span><br><span>Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a></span><br><span><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br></div></blockquote></div></div></blockquote></div></div>