<div dir="ltr">Hi Sami.<div>In the "response-policy" block in your config, what (if anything) is the value of the statement "qname-wait-recurse"?</div><div>If you do not have that set explicitly, please do "named -C" to list the defaults and see what it is; probably "yes".</div><div><br></div><div>This parameter controls whether RPZ waits until successful recursion has finished before it rewrites the response, according to the matching rule in the RPZ zone.</div><div>If there is no successful response from recursion then RPZ has nothing to rewrite, so your server's response to its client will be SERVFAIL.</div><div><br></div><div>It looks like your server cannot resolve <a href="http://cadyst.com/A">cadyst.com/A</a> for some reason, which would explain what gets sent back to the client.</div><div>However, it resolves fine for me:</div><div><a href="http://cadyst.com">cadyst.com</a>. 908 IN A 146.59.209.152<br></div><div><br></div><div>Maybe you have some other issue with your resolver?</div><div><br></div><div>Cheers, Greg</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 12 Jul 2023 at 09:26, <<a href="mailto:sami.rahal@sofrecom.com">sami.rahal@sofrecom.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello<br>
Thank you for your answer yes we will plan a migration to version 9.18. <br>
now I have activated "error log" to have the cause of an error servfail is here is the result.<br>
<br>
11-Jul-2023 10:36:21.146 query-errors: debug 3: client @0x7f217a2bd250 127.0.0.1#39627 (<a href="http://cadyst.com" rel="noreferrer" target="_blank">cadyst.com</a>): view default: rpz QNAME rewrite <a href="http://cadyst.com" rel="noreferrer" target="_blank">cadyst.com</a> stop on qresult in rpz_rewrite(): timed out<br>
11-Jul-2023 10:36:21.146 query-errors: debug 1: client @0x7f217a2bd250 127.0.0.1#39627 (<a href="http://cadyst.com" rel="noreferrer" target="_blank">cadyst.com</a>): view default: query failed (timed out) for <a href="http://cadyst.com/IN/A" rel="noreferrer" target="_blank">cadyst.com/IN/A</a> at query.c:8042<br>
11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at resolver.c:4983 for <a href="http://cadyst.com/A" rel="noreferrer" target="_blank">cadyst.com/A</a> in 10.000118: timed out/success [domain:<a href="http://cadyst.com" rel="noreferrer" target="_blank">cadyst.com</a>,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]<br>
<br>
Regards Sami<br>
<br>
<br>
Message: 2<br>
Date: Tue, 11 Jul 2023 12:04:15 +0200<br>
From: Matthijs Mekking <<a href="mailto:matthijs@isc.org" target="_blank">matthijs@isc.org</a>><br>
To: <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
Subject: Re: extended dns error<br>
Message-ID: <<a href="mailto:6f5bb3dc-ddf0-873c-c630-fa89fe260c96@isc.org" target="_blank">6f5bb3dc-ddf0-873c-c630-fa89fe260c96@isc.org</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
Upgrade to 9.18, because 9.16 does not support extended DNS errors.<br>
<br>
See<br>
<br>
<a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date&state=all&label_name%5B%5D=Extended%20DNS%20Errors&first_page_size=20" rel="noreferrer" target="_blank">https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date&state=all&label_name%5B%5D=Extended%20DNS%20Errors&first_page_size=20</a><br>
<br>
For which errors are supported.<br>
<br>
Best regards, Matthijs<br>
<br>
On 7/11/23 11:10, <a href="mailto:sami.rahal@sofrecom.com" target="_blank">sami.rahal@sofrecom.com</a> wrote:<br>
> Hello ?community<br>
> <br>
> I want to use "extended dns error" option on my recursive dns server. <br>
> What config changes are required to enable EDE?<br>
> <br>
> I am using BIND 9.16.42 as recursive server.<br>
> <br>
> Regards Sami<br>
> <br>
> <br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of bind-users Digest, Vol 4279, Issue 3<br>
*******************************************<br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>