Bug#1057887: bind9 named logging for category rpz misses some rpz log messages

[E Harris]

Package: bind9
Version: 1:9.18.19-1~deb12u1
Severity: normal

When bind9/named is configured to log category rpz messages to a file, some
rpz log messages are not captured and sent to the intended destination.

Example:

Add the following stanza in named.conf.options:

logging {
channel rpzlog {
file "/var/log/named/rpz.log" versions unlimited size 100m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
category rpz { rpzlog; };
};

With this configuration for logging, most rpz log messages are properly
sent to the intended file (NXDOMAIN items), but some rpz messages are not.
So far, the ones that seem not to be properly captured by this log destination
are rpz "passthru" lookups.

Example log messages that end up in the default syslog/journald rather than
the configured log file:

Dec 10 01:29:41 somehostn named[327739]: client @0x7fee327a6568 127.0.0.1#35809 (some.domain.name): rpz QNAME PASSTHRU rewrite some.domain.name/A/IN via some.domain.name.rpz.local
Dec 10 01:29:41 somehost named[327739]: client @0x7fee32785768 127.0.0.1#35809 (some.domain.name): rpz QNAME PASSTHRU rewrite some.domain.name/AAAA/IN via some.domain.name.rpz.local

Example rpz entry that generates log entries that fail to go to the rpz category/destination:
some.domain.name CNAME rpz-passthru.

Example rpz entry that generates log entries that do go to the proper rpz category/destination:
other.domain.name CNAME .


-- System Information:
Debian Release: 12.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-26-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii adduser 3.134
ii bind9-libs 1:9.18.19-1~deb12u1
ii bind9-utils 1:9.18.19-1~deb12u1
ii debconf [debconf-2.0] 1.5.82
ii dns-root-data 2023010101
ii init-system-helpers 1.65.2
ii iproute2 6.1.0-3
ii libc6 2.36-9+deb12u3
ii libcap2 1:2.66-4
ii libfstrm0 0.6.1-1
ii libjson-c5 0.16-2
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.7.1-1
ii libnghttp2-14 1.52.0-1+deb12u1
ii libprotobuf-c1 1.4.1-1+b1
ii libssl3 3.0.11-1~deb12u2
ii libsystemd0 252.19-1~deb12u1
ii libuv1 1.44.2-1
ii libxml2 2.9.14+dfsg-1.3~deb12u1
ii lsb-base 11.6
ii netbase 6.4
ii sysvinit-utils [lsb-base] 3.06-4
ii zlib1g 1:1.2.13.dfsg-1

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn bind-doc <none>
ii bind9-dnsutils [dnsutils] 1:9.18.19-1~deb12u1
ii dnsutils 1:9.18.19-1~deb12u1
ii resolvconf 1.91+nmu1
ii ufw 0.36.2-1

-- Configuration Files:
/etc/bind/db.root [Errno 13] Permission denied: '/etc/bind/db.root'
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.local changed [not included]
/etc/bind/named.conf.options [Errno 13] Permission denied: '/etc/bind/named.conf.options'

-- debconf-show failed

[Evan Harris]

https://gitlab.isc.org/isc-projects/bind9/-/issues/4483

[Evan Harris]

Turns out this is due to there being another log category specifically for
rpz-passthru messages, separate from the rpz category. So an intentional
feature rather than a bug.

Ok to close.