> On 1 Jun 2018, at 5:09 am, Con Wieland <cwiel...@uci.edu> wrote: > > I have a nameserver that can not resolve extranet.aro.army.mil. > > dig extranet.aro.army.mil > > ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> extranet.aro.army.mil > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56491 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;extranet.aro.army.mil. IN A > > ;; Query time: 4004 msec > ;; SERVER: 128.200.1.201#53(128.200.1.201) > ;; WHEN: Thu May 31 11:58:23 PDT 2018 > ;; MSG SIZE rcvd: 50 > > > dig any works though > > dig any extranet.aro.army.mil > > ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> any extranet.aro.army.mil > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36259 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;extranet.aro.army.mil. IN ANY > > ;; ANSWER SECTION: > extranet.aro.ARMY.mil. 5 IN CNAME > aro.army.mil.apps.gcds.disa.mil. > extranet.aro.ARMY.mil. 5 IN RRSIG CNAME 8 4 3600 > 20180603234628 20180530232344 17853 aro.army.mil. > FWADxA2KjVZGnMJMrqCeQaaIhYdyf/pgu5OkBkCk/BAVyRnRaksGbNhx > WP15FIQpfXHZXpuV7ChQoGxGXbmpFZc6khlBgOHxhhOSykiJeVB53QR6 > 8uvu1cRQ6gy7yeaGHvVUFsYyPlSyitY4kWS1v5RS70RhNVviVaSmaEBu > JAkACgMdQs8FG6y8E5Uhsazsl3fX6p2b5wX8ohwCYaFygHoIZqq+TBJX > HxcX6MOdPfyyP0UeM+aC1x/58HQXekRlpY8VXujBSjDbVIWZKI/EdA0o > Z6eXuGBExkzl4IctnwGSGTyQgtWRovDoJEiRi/jyss/Z4BlMBvpbDBJi AC0b9g== > > ;; AUTHORITY SECTION: > aro.ARMY.mil. 2921 IN NS ns03.army.mil. > aro.ARMY.mil. 2921 IN NS ns02.army.mil. > aro.ARMY.mil. 2921 IN NS ns01.army.mil. > > ;; ADDITIONAL SECTION: > NS01.ARMY.mil. 582 IN A 140.153.43.44 > NS02.ARMY.mil. 20920 IN A 192.82.113.7 > NS03.ARMY.mil. 279 IN A 130.114.200.6 > > ;; Query time: 0 msec > ;; SERVER: 128.200.1.201#53(128.200.1.201) > ;; WHEN: Thu May 31 12:00:39 PDT 2018 > ;; MSG SIZE rcvd: 530
ANY (*) queries DO NOT FOLLOW CNAMEs. This is why this query resolved. Your problem is with one of the targets in the CNAME chain. You now need to workout if the server can resolve aro.army.mil.apps.gcds.disa.mil. Then you need to workout if it can resolve aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. Then you need to workout if it can resolve e1008.d.akamaiedge.akamai.csd.disa.mil. Don’t forget to check the firewall settings for the new server. Firewall vendors have STUPID defaults for DNS. > and to further confuse the issue, resolution from a nameserver that does > resolve this shows different nameservers listed for the default query and the > “any” query > > > dig extranet.aro.army.mil > > ; <<>> DiG 9.3.4-P1 <<>> extranet.aro.army.mil > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 359 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 3 > > ;; QUESTION SECTION: > ;extranet.aro.army.mil. IN A > > ;; ANSWER SECTION: > extranet.aro.ARMY.mil. 801 IN CNAME > aro.army.mil.apps.gcds.disa.mil. > aro.army.mil.apps.gcds.DISA.mil. 247 IN CNAME > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. 180 IN CNAME > e1008.d.akamaiedge.akamai.csd.disa.mil. > e1008.d.akamaiedge.akamai.csd.disa.mil. 20 IN A 214.48.248.31 > > ;; AUTHORITY SECTION: > DISA.mil. 17124 IN NS NS1.CSD.DISA.MIL. > DISA.mil. 17124 IN NS NS.CYBERCOM.MIL. > DISA.mil. 17124 IN NS NS.JTFGNO.MIL. > > ;; ADDITIONAL SECTION: > NS.JTFGNO.mil. 17124 IN A 214.3.125.231 > NS.CYBERCOM.mil. 17124 IN A 131.77.60.235 > NS1.CSD.DISA.mil. 17124 IN A 152.229.110.235 > > ;; Query time: 161 msec > ;; SERVER: 128.200.192.203#53(128.200.192.203) > ;; WHEN: Thu May 31 12:03:21 2018 > ;; MSG SIZE rcvd: 384 > > > and “any” include the RRSIG record and different nameservers > > dig any extranet.aro.army.mil > > ; <<>> DiG 9.3.4-P1 <<>> any extranet.aro.army.mil > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 763 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 2 > > ;; QUESTION SECTION: > ;extranet.aro.army.mil. IN ANY > > ;; ANSWER SECTION: > extranet.aro.ARMY.mil. 732 IN RRSIG CNAME 8 4 3600 20180603234628 > 20180530232344 17853 aro.army.mil. > FWADxA2KjVZGnMJMrqCeQaaIhYdyf/pgu5OkBkCk/BAVyRnRaksGbNhx > WP15FIQpfXHZXpuV7ChQoGxGXbmpFZc6khlBgOHxhhOSykiJeVB53QR6 > 8uvu1cRQ6gy7yeaGHvVUFsYyPlSyitY4kWS1v5RS70RhNVviVaSmaEBu > JAkACgMdQs8FG6y8E5Uhsazsl3fX6p2b5wX8ohwCYaFygHoIZqq+TBJX > HxcX6MOdPfyyP0UeM+aC1x/58HQXekRlpY8VXujBSjDbVIWZKI/EdA0o > Z6eXuGBExkzl4IctnwGSGTyQgtWRovDoJEiRi/jyss/Z4BlMBvpbDBJi AC0b9g== > extranet.aro.ARMY.mil. 732 IN CNAME > aro.army.mil.apps.gcds.disa.mil. > > ;; AUTHORITY SECTION: > ARMY.mil. 17055 IN NS NS01.ARMY.MIL. > ARMY.mil. 17055 IN NS NS02.ARMY.MIL. > ARMY.mil. 17055 IN NS NS03.ARMY.MIL. > > ;; ADDITIONAL SECTION: > NS01.ARMY.mil. 17055 IN A 140.153.43.44 > NS02.ARMY.mil. 17055 IN A 192.82.113.7 > > ;; Query time: 2 msec > ;; SERVER: 128.200.192.203#53(128.200.192.203) > ;; WHEN: Thu May 31 12:04:29 2018 > ;; MSG SIZE rcvd: 506 > > To further confuse this, this server worked until it’s IP address changed > when it replace an existing server. There were no configuration changes only > the ip address and it is otherwise fully functioning.. > any leads on where to start looking or further trouble shooting ideas would > really be appreciated. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
