<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Hi,</p>
<p><br /></p>
<p>You can use option qname-wait-recurse no;<br />to avoid for resolution waiting by Ondrej;</p>
<p> response-policy {<br /> zone "local-redirect";<br /> }<span> </span><strong>qname-wait-recurse no;</strong></p>
<p><br /></p>
<p>In this combination, you will get redirect as I did below</p>
<p><br /></p>
<p>% dig time.in @127.0.0.1</p>
<p>; <<>> DiG 9.16.37 <<>> time.in @127.0.0.1<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16906<br />;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2</p>
<p>;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 1232<br />; COOKIE: 76c28914f71577f8010000006431b8a864cf9cf0868502f1 (good)<br />;; QUESTION SECTION:<br />;time.in. IN A</p>
<p>;; ANSWER SECTION:<br />time.in. 5 IN A 127.0.0.1</p>
<p>;; ADDITIONAL SECTION:<br />local-redirect. 1 IN SOA</p>
<p>Best Regards,<br />Peter</p>
<p><br /></p>
<p id="reply-intro">On 2023-04-08 20:28, bind-users-request@lists.isc.org wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">Send bind-users mailing list submissions to<br /> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br /><br />To subscribe or unsubscribe via the World Wide Web, visit<br /> <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noopener noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a><br />or, via email, send a message with subject or body 'help' to<br /> <a href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a><br /><br />You can reach the person managing the list at<br /> <a href="mailto:bind-users-owner@lists.isc.org">bind-users-owner@lists.isc.org</a><br /><br />When replying, please edit your Subject line so it is more specific<br />than "Re: Contents of bind-users digest..."<br /><br /><br />Today's Topics:<br /><br /> 1. Re: Response Policy Zone returns servfail for time.in Trigger<br /> (Matthew Gomez)<br /> 2. Re: Response Policy Zone returns servfail for time.in Trigger<br /> (Fred Morris)<br /><br /><br />----------------------------------------------------------------------<br /><br />Message: 1<br />Date: Sat, 8 Apr 2023 14:25:57 -0400<br />From: Matthew Gomez <<a href="mailto:magomez96@gmail.com">magomez96@gmail.com</a>><br />To: Ond?ej Sur? <<a href="mailto:ondrej@isc.org">ondrej@isc.org</a>><br />Cc: <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br />Subject: Re: Response Policy Zone returns servfail for time.in Trigger<br />Message-ID:<br /> <<a href="mailto:CAB4mi5uZ6NtHr1nsR9GBck7rm9FHMGWmOxjC7ZagbqM-m-uQ8w@mail.gmail.com">CAB4mi5uZ6NtHr1nsR9GBck7rm9FHMGWmOxjC7ZagbqM-m-uQ8w@mail.gmail.com</a>><br />Content-Type: text/plain; charset="utf-8"<br /><br />This works great!<br /><br />Thanks,<br />Matt<br /><br />On Sat, Apr 8, 2023 at 1:35 PM Ond?ej Sur? <<a href="mailto:ondrej@isc.org">ondrej@isc.org</a>> wrote:<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">Hi,<br /><br />time.in is currently broken - I am guessing this is the reason why are<br />you trying to rewrite the answers.<br /><br />RPZ does try to resolve the name first, and it fails, so there?s nothing<br />to rewrite.<br /><br />See the documentation<br /><a href="https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy" target="_blank" rel="noopener noreferrer">https://bind9.readthedocs.io/en/v9.18.13/reference.html#namedconf-statement-response-policy</a> on<br />qname-wait-recurse and break-dnssec to turn off the default behavior.<br /><br />Ondrej<br />--<br />Ond?ej Sur? ? ISC (He/Him)<br /><br />My working hours and your working hours may be different. Please do not<br />feel obligated to reply outside your normal working hours.<br /><br />On 8. 4. 2023, at 16:32, Matthew Gomez <<a href="mailto:magomez96@gmail.com">magomez96@gmail.com</a>> wrote:<br /><br />?<br /><br />Hi, has anyone run into this before? It looks like a bug to me.<br /><br /><br />Summary<br /><br />RPZ Returns a servfail when the trigger is "time.in"<br /><<a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used" target="_blank" rel="noopener noreferrer">https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#bind-version-used</a>>BIND<br />version used<br /><br />BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version)<br /><br /><<a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce" target="_blank" rel="noopener noreferrer">https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#steps-to-reproduce</a>>Steps<br />to reproduce<br /><br />Configure a RPZ rule with the trigger as time.in (the action does not<br />seem to matter, I tried both CNAME . and A 1.1.1.1 both fail) Try to<br />resolve time.in against the bind server using dig, nslookup, etc a<br />servfail is returned<br /><br /><<a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior" target="_blank" rel="noopener noreferrer">https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-current-bug-behavior</a>>What<br />is the current *bug* behavior?<br /><br />Bind returns a servfail when the trigger for an RPZ rule is "time.in" RPZ<br />works as expected for "tim.in" and "time.ind"<br /><br /><<a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior" target="_blank" rel="noopener noreferrer">https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#what-is-the-expected-correct-behavior</a>>What<br />is the expected *correct* behavior?<br /><br />Bind should return the expected action (nxdomain, A record rewrite, etc)<br /><br /><<a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files" target="_blank" rel="noopener noreferrer">https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-configuration-files</a>>Relevant<br />configuration files<br /><br />RPZ Zone File $TTL 86400 @ IN SOA localhost. root.localhost. ( 12 ; Serial<br />604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache<br />TTL ; @ IN NS localhost.<br /><br />time.in CNAME .<br /><br />named.conf.local snippet zone "rpz.local" { type master; file<br />"/var/lib/bind/rpz.local"; allow-query { localhost; }; allow-transfer {<br />1.1.1.1; }; also-notify { 1.1.1.1; }; };<br /><br />named.conf.options snippet //enable response policy zone. response-policy<br />{ zone "rpz.local"; };<br /><br /><<a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots" target="_blank" rel="noopener noreferrer">https://gitlab.isc.org/isc-projects/bind9/-/issues/4008#relevant-logs-andor-screenshots</a>>Relevant<br />logs and/or screenshots<br /><br />dig time.in @127.0.0.1<br /><br />; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> time.in @127.0.0.1 ;;<br />global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:<br />SERVFAIL, id: 25602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,<br />ADDITIONAL: 1<br /><br />;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE:<br />a197e43b329c51e701000000643028c76d5822e3f9c2bbcb (good) ;; QUESTION<br />SECTION: ;time.in. IN A<br /><br />;; Query time: 292 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN:<br />Fri Apr 07 10:29:27 EDT 2023 ;; MSG SIZE rcvd: 64<br /><br />LOG Apr 7 10:30:37 server named[941]: client @0x7f74a80d03b8<br />127.0.0.1#34415 (time.in): query failed (failure) for time.in/IN/A at<br />query.c:7775<br />--<br />Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noopener noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe<br />from this list<br /><br />ISC funds the development of this software with paid support<br />subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank" rel="noopener noreferrer">https://www.isc.org/contact/</a> for more<br />information.<br /><br /><br />bind-users mailing list<br /><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br /><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noopener noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a><br /><br /><br /></blockquote>
-------------- next part --------------<br />An HTML attachment was scrubbed...<br />URL: <<a href="https://lists.isc.org/pipermail/bind-users/attachments/20230408/8b94b5f5/attachment-0001.htm" target="_blank" rel="noopener noreferrer">https://lists.isc.org/pipermail/bind-users/attachments/20230408/8b94b5f5/attachment-0001.htm</a>><br /><br />------------------------------<br /><br />Message: 2<br />Date: Sat, 8 Apr 2023 11:28:17 -0700 (PDT)<br />From: Fred Morris <<a href="mailto:m3047@m3047.net">m3047@m3047.net</a>><br />To: <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br />Subject: Re: Response Policy Zone returns servfail for time.in Trigger<br />Message-ID: <<a href="mailto:alpine.LSU.2.21.2304081041330.3187@flame.m3047">alpine.LSU.2.21.2304081041330.3187@flame.m3047</a>><br />Content-Type: text/plain; charset="utf-8"; Format="flowed"<br /><br />Since one of the corner cases where RPZ is used is for mitigation of <br />failures of legitimate resources, I have a question...<br /><br />On Sat, 8 Apr 2023, Ond?ej Sur? wrote:
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">time.in is currently broken - I am guessing this is the reason why are you trying to rewrite the answers.<br /><br />RPZ does try to resolve the name first, and it fails, so there?s nothing to rewrite.</blockquote>
<br />Does this mean that in the default configuration an e.g. A record in an <br />RPZ overriding brokenness in the global DNS with a QNAME override might <br />fail due to the same brokenness? As far as I know I've never experienced <br />that.<br /><br />Going forward, what is anticipated to be the proper configuration for that <br />scenario?<br /><br />Thanks...<br /><br />--<br /><br />Fred Morris<br /><br />------------------------------<br /><br />Subject: Digest Footer<br /><br />_______________________________________________<br />ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank" rel="noopener noreferrer">https://www.isc.org/contact/</a> for more information.<br /><br />bind-users mailing list<br /><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br /><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noopener noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a><br /><br /><br />------------------------------<br /><br />End of bind-users Digest, Vol 4222, Issue 2<br />*******************************************</div>
</blockquote>
<p><br /></p>
</body></html>