
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="display: block;" class=""><div style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;" class="apple-rich-link" draggable="true" role="link" data-url="https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting"><a style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;" class="lp-rich-link" rel="nofollow" href="https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting" dir="ltr" role="button" draggable="false" width="300"><table style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#E9E9EB;font-family:-apple-system, Helvetica, Arial, sans-serif;" class="lp-rich-link-emailBaseTable" cellpadding="0" cellspacing="0" border="0" width="300"><tbody><tr><td vertical-align="center"><table bgcolor="#E9E9EB" cellpadding="0" cellspacing="0" width="300" style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(233, 233, 235, 1);" class="lp-rich-link-captionBar"><tbody><tr><td style="padding:8px 0px 8px 0px;" class="lp-rich-link-captionBar-textStackItem"><div style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;" class="lp-rich-link-captionBar-textStack"><div style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-topCaption-leading"><a rel="nofollow" href="https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting" style="text-decoration: none" draggable="false"><font color="#000000" style="color: rgba(0, 0, 0, 1);">8. Configuration Reference â€” BIND 9 9.18.13 documentation</font></a></div><div style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-bottomCaption-leading"><a rel="nofollow" href="https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting" style="text-decoration: none" draggable="false"><font color="#A2A2A9" style="color: rgba(60, 60, 67, 0.6);">bind9.readthedocs.io</font></a></div></div></td><td style="padding:6px 12px 6px 0px;" class="lp-rich-link-captionBar-rightIconItem" width="36"><a rel="nofollow" href="https://bind9.readthedocs.io/en/stable/reference.html#response-policy-zone-rpz-rewriting" draggable="false"><img style="pointer-events:none !important;display:inline-block;width:36px;height:36px;border-radius:3px;" width="36" height="36" draggable="false" class="lp-rich-link-captionBar-rightIcon" alt="favicon.ico" src="cid:4CEB858A-9961-47E4-9C88-8F12280BF76F"></a></td></tr></tbody></table></td></tr></tbody></table></a></div></div><br>I would certainly recommend reading the docsâ€¦ especially the sections on break-dnssec and qname-wait-recurse.<br><br><div dir="ltr"><div>--</div>OndÅ™ej SurÃ½ â€” ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 17. 6. 2023, at 6:40, Fred Morris <m3047@m3047.net> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">ï»¿<span>Admittedly, since I'm writing software to do "off label" stuff with DNS I make mistakes. But I have seen things along this line (interactions between RPZ and regular resolution in the context of "broken" domains): in some cases it has seemed impossible to ameliorate / mitigate SERVFAIL utilizing RPZ.</span><br><span></span><br><span>I'll try to pay more attention and see if I can isolate a test case if the problem recurs. (I was kind of hoping someone would have a solution!)</span><br><span></span><br><span>--</span><br><span></span><br><span>Fred Morris</span><br><span></span><br><span>On Fri, 16 Jun 2023, Crist Clark wrote:</span><br><blockquote type="cite"><span>That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ</span><br></blockquote><blockquote type="cite"><span>action. Something is wrong with your configuration.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>On Fri, Jun 16, 2023 at 1:39â€¯PM <sami.rahal@sofrecom.com> wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>For monitoring reasons I try to change the return code of a domain name</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>BIND9.16.42 as follows:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>example.com IN CNAME.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>*.example.com IN CNAME .</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>But it still doesn't work, I still have the message  " SERVFAIL", is it</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>feasible or not please ?</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span></blockquote></blockquote><span>-- </span><br><span>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></body></html>