One of our networking personnel is trying to access ftp.cisco.com
and is unable to do so from Argonne. He has no problem from home, (Comcast). The Comcast DNS servers are 68.87.72.134 68.87.77.134 and report that they are running "Nominum Vantio 4.2.1.0" (about which I know very little). My DNS servers are running BIND 9.7.0-P1. I did some DNS queries here and I have made comments after each DNS query. Are my comments and suppositions correct? =============================================================== dnsserver% dig ftp.cisco.com ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; Query time: 177 msec ;; SERVER: 146.139.254.5#53(146.139.254.5) ;; WHEN: Tue May 18 11:01:45 2010 ;; MSG SIZE rcvd: 31 dnsserver% Note the SERVFAIL response. BIND detects that something is wrong. =============================================================== dnsserver% dig cisco.com ns ; <<>> DiG 9.7.0-P1 <<>> cisco.com ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;cisco.com. IN NS ;; ANSWER SECTION: cisco.com. 38065 IN NS ns1.cisco.com. cisco.com. 38065 IN NS ns2.cisco.com. ;; ADDITIONAL SECTION: ns1.cisco.com. 2668 IN A 128.107.241.185 ns2.cisco.com. 2831 IN A 64.102.255.44 ;; Query time: 1 msec ;; SERVER: 146.139.254.5#53(146.139.254.5) ;; WHEN: Tue May 18 14:08:01 2010 ;; MSG SIZE rcvd: 95 dnsserver% There are two authoritative name servers for cisco.com . =============================================================== dnsserver% dig ftp.cisco.com @ns1.cisco.com. ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @ns1.cisco.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; AUTHORITY SECTION: ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com. ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com. ;; ADDITIONAL SECTION: rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39 sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86 ;; Query time: 60 msec ;; SERVER: 128.107.241.185#53(128.107.241.185) ;; WHEN: Tue May 18 14:08:21 2010 ;; MSG SIZE rcvd: 133 dnsserver% This response (from one of the two name servers) has problems. 1) There is an answer, but without the "aa" (authoritative answer) flag, the response appears to be coming from the cache. 2) The authority section lists the two nameservers that are authoritative for the zone ftp.cisco.com. 3) I am not a DNS expert, but with "ra" (recursion available) and "rd" (recursion desired) both set, I would expect my query to recurse to a name server that will return an authoritative answer. Or, since I sent the request to a specific name server, that server would return no answers but a referral to the authoritative name servers. =============================================================== dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com. ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @rtp5-ddir-ns.cisco.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; Query time: 288 msec ;; SERVER: 64.102.255.39#53(64.102.255.39) ;; WHEN: Tue May 18 14:08:46 2010 ;; MSG SIZE rcvd: 47 dnsserver% dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com. ; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; Query time: 219 msec ;; SERVER: 128.107.240.86#53(128.107.240.86) ;; WHEN: Tue May 18 14:09:12 2010 ;; MSG SIZE rcvd: 47 dnsserver% Here I queried both supposedly authoritative name servers, and from each I get a non-authoritative answer. When I did the same query yesterday afternoon, neither of these two name servers was accessible. I assume that with BIND 9.7.0-P1, if the response is not authoritative, then BIND will not trust the answer. =============================================================== ---------------------------------------------------------------------- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone: +1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users