[RPZ] Problem implementing RPZ concurrently with DNS64
Cathy Almond
cathya at isc.org
Mon Dec 10 10:21:38 UTC 2012
On 10/12/12 07:39, Affan Basalamah wrote:
> Dear all,
>
> We use BIND 9.8.1, and we already run RPZ on BIND, and we would like to
> run DNS64 together.
>
> This is our config snippet on DNS64:
>
> dns64 64:FF9B::/96 {
> clients { any; };
> mapped { !rfc1918; any; };
> exclude { 64:FF9B::/96; ::ffff:0000:0000/96;};};
>
> response-policy { zone "blacklist"; };
>
>
> However I cannot activate DNS64 together with RPZ, named stopped with
> the message "unexpected error" and the error log is below:
>
>
> Nov 26 00:52:43 order named[20026]: query.c:5908: INSIST(!is_zone)
> failed, back trace
> Nov 26 00:52:43 order named[20026]: #0 0x805c4d2 in ??
> Nov 26 00:52:43 order named[20026]: #1 0x81e1467 in ??
> Nov 26 00:52:43 order named[20026]: #2 0x806af1e in ??
> Nov 26 00:52:43 order named[20026]: #3 0x806bba3 in ??
> Nov 26 00:52:43 order named[20026]: #4 0x81ff55c in ??
> Nov 26 00:52:43 order kernel: pid 2
> Nov 26 00:52:43 order kernel: 0<026 (named), uid 53: exited on signal 6
> Nov 26 00:52:43 order kernel: 118>Nov 26 00:52:43 order named[20026]: #4
> 0x81ff55c in ??
>
>
>
> Any suggestion?
>
> Regards,
Hi Affan,
BIND 9.8.1 is rather an old version now and there have been many
bugfixes since it was released, including several addressing problems
with rpz and with dns64, plus a number of security issues - particularly
the most recent one which is relevant when using DNS64:
http://www.isc.org/software/bind/advisories/cve-2012-5688
Do you see the same outcome if running the latest 9.8 code (9.8.4-P1)?
You can obtain it from here:
http://www.isc.org/downloads
If you're still seeing crashes with 9.8.4-P1, then we'd appreciate it if
you could report this to bind9-bugs at isc.org. See this KB article for
the troubleshooting information that you need to collect and submit:
https://kb.isc.org/article/AA-00340/0/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html
Kind regards,
Cathy Almond
ISC Support
More information about the DNSfirewalls
mailing list