I will keep queries on the server as Mark explaned the dig +trace The versions on the porblem server are:
named -v BIND 9.9.4-RedHat-9.9.4-61.el7 (Extended Support Version) [cwieland@ns2 ~]$ dig -v DiG 9.9.4-RedHat-9.9.4-61.el7 Neither dig +cd +cdflag produce anything different [root@ns2 ~]# dig +cd extranet.aro.army.mil ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> +cd extranet.aro.army.mil ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60621 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;extranet.aro.army.mil. IN A ;; Query time: 4539 msec ;; SERVER: 128.200.192.202#53(128.200.192.202) ;; WHEN: Thu May 31 18:25:50 PDT 2018 ;; MSG SIZE rcvd: 50 [root@ns2 ~]# dig +cdflag extranet.aro.army.mil ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> +cdflag extranet.aro.army.mil ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11925 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;extranet.aro.army.mil. IN A ;; Query time: 4000 msec ;; SERVER: 128.200.192.202#53(128.200.192.202) ;; WHEN: Thu May 31 18:26:17 PDT 2018 ;; MSG SIZE rcvd: 50 > On May 31, 2018, at 5:31 PM, Peter DeVries <pdevr...@quotient-inc.com> wrote: > > +cd disables DNSSEC validation. You are running some very old versions of > dig in some cases which don't have dnssec support. The 9.9 version of dig > you have on at least one server should work. > > What version of BIND server are you running on the problematic system? > > On Thu, May 31, 2018 at 8:18 PM, cwiel...@uci.edu <cwiel...@uci.edu> wrote: > Hi > > Can you elaborate on +cd? a dig option, I am not finding it as an option. > > thanks > con > > > On May 31, 2018, at 2:51 PM, Warren Kumari <war...@kumari.net> wrote: > > > > Try it with +cd and see if that fixes it. > > > > The DNSSEC stuff for this domain is all borked up -- sufficiently that > > I felt like I was playing snakes and ladders while looking at: > > http://dnsviz.net/d/extranet.aro.army.mil/dnssec/ > > On Thu, May 31, 2018 at 5:45 PM John Miller <johnm...@brandeis.edu> wrote: > >> > >> Hi Con, > >> > >> May I suggest running dig +trace extranet.aro.army.mil from your > >> nameserver? That'll make the delegation process explicit and help you > >> troubleshoot a little better. It could be that one of the three main > >> army.mil nameservers is unreachable by your ns for some reason > >> (routing being a likely culprit). > >> > >> John > >> > >> On Thu, May 31, 2018 at 5:29 PM, Con Wieland <cwiel...@uci.edu> wrote: > >>> and here they are but I don’t see anything indicating what the problem > >>> might be > >>> > >>> 31-May-2018 13:56:01.150 queries: info: client 128.200.1.20#37203 > >>> (extranet.aro.army.mil): view internal: query: extranet.aro.army.mil IN A > >>> +E (128.200.1.201) > >>> 31-May-2018 13:56:01.151 resolver: debug 1: createfetch: > >>> aro.army.mil.edgekey.dmz.akamai.csd.disa.mil A > >>> 31-May-2018 13:56:06.153 queries: info: client 128.200.1.20#37203 > >>> (extranet.aro.army.mil): view internal: query: extranet.aro.army.mil IN A > >>> +E (128.200.1.201) > >>> 31-May-2018 13:56:06.153 resolver: debug 1: createfetch: > >>> aro.army.mil.edgekey.dmz.akamai.csd.disa.mil A > >>> 31-May-2018 13:56:11.158 queries: info: client 128.200.1.20#37203 > >>> (extranet.aro.army.mil): view internal: query: extranet.aro.army.mil IN A > >>> +E (128.200.1.201) > >>> 31-May-2018 13:56:11.158 query-errors: debug 1: client 128.200.1.20#37203 > >>> (extranet.aro.army.mil): view internal: query failed (SERVFAIL) for > >>> extranet.aro.army.mil/IN/A at query.c:7215 > >>> 31-May-2018 13:56:11.158 resolver: debug 1: createfetch: > >>> aro.army.mil.edgekey.dmz.akamai.csd.disa.mil A > >>> 31-May-2018 13:56:21.168 query-errors: debug 1: client 128.200.1.20#37203 > >>> (extranet.aro.army.mil): view internal: query failed (SERVFAIL) for > >>> extranet.aro.army.mil/IN/A at query.c:7215 > >>> > >>>> On May 31, 2018, at 12:51 PM, Reindl Harald <h.rei...@thelounge.net> > >>>> wrote: > >>>> > >>>> > >>>> > >>>> Am 31.05.2018 um 21:42 schrieb Con Wieland: > >>>>> agreed but why would my server not resolve it while others do? > >>>> > >>>> ask the logs of 128.200.1.201 > >>>> > >>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> extranet.aro.army.mil > >>>> ;; global options: +cmd > >>>> ;; Got answer: > >>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56491 > >>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >>>> ;; SERVER: 128.200.1.201#53(128.200.1.201) > >>>> > >>>>>> On May 31, 2018, at 12:16 PM, Reindl Harald <h.rei...@thelounge.net> > >>>>>> wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> Am 31.05.2018 um 21:09 schrieb Con Wieland: > >>>>>>> I have a nameserver that can not resolve extranet.aro.army.mil. > >>>>>> > >>>>>> terrible slow and insane config - fix it > >>>>>> > >>>>>> https://intodns.com/aro.army.mil > >>>>>> > >>>>>> ;; Query time: 1175 msec > >>>>>> ;; SERVER: 127.0.0.1#53(127.0.0.1) > >>>>>> ;; WHEN: Do Mai 31 21:12:26 CEST 2018 > >>>>>> ;; MSG SIZE rcvd: 247 > >>>>>> > >>>>>> ;; Query time: 1109 msec > >>>>>> ;; SERVER: 8.8.8.8#53(8.8.8.8) > >>>>>> ;; WHEN: Do Mai 31 21:12:52 CEST 2018 > >>>>>> ;; MSG SIZE rcvd: 191 > >>>>>> > >>>>>> ;; ANSWER SECTION: > >>>>>> aro.army.mil. 2022 IN NS ns03.army.mil. > >>>>>> aro.army.mil. 2022 IN NS ns02.army.mil. > >>>>>> aro.army.mil. 2022 IN NS ns01.army.mil. > >>>>>> > >>>>>> ;; Query time: 163 msec > >>>>>> ;; SERVER: 192.82.113.7#53(192.82.113.7) > >>>>>> ;; WHEN: Do Mai 31 21:15:37 CEST 2018 > >>>>>> ;; MSG SIZE rcvd: 98 > >>>>>> Warn SOA REFRESH WARNING: Your SOA REFRESH interval is: > >>>>>> 900. That is > >>>>>> not so ok > >>>>>> Warn SOA RETRY Your SOA RETRY value is: 90. That is NOT OK > >>>> > >>> > >>> _______________________________________________ > >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to > >>> unsubscribe from this list > >>> > >>> bind-users mailing list > >>> bind-users@lists.isc.org > >>> https://lists.isc.org/mailman/listinfo/bind-users > >> > >> > >> > >> -- > >> John Miller > >> Senior Systems Engineer > >> Brandeis University ITS > >> johnm...@brandeis.edu > >> (781) 736-4619 > >> _______________________________________________ > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to > >> unsubscribe from this list > >> > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > > > > > > > > -- > > I don't think the execution is relevant when it was obviously a bad > > idea in the first place. > > This is like putting rabid weasels in your pants, and later expressing > > regret at having chosen those particular rabid weasels and that pair > > of pants. > > ---maf > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
