Sorry if this seems longish but, I'd rather give you all I can think of that
might help than to leave you wondering what I'm talking about.
We are having a problem getting DNS recursive resolutions for
seecurestate.com domain names, specifically mystate.securestate.com.
I should mention here that, at present, this is the only domain we are
having issues with.
When we issue a DNS query from any of our four BIND 9.9.4-P2 recursive
servers, which are inside of our network, for the mystate.securestate.com
domain, we consistently get a SERVFAIL response.
When we issue a DNS query specifically for the SOA Name servers' A records,
we get a SERVFAIL response.
In trying to figure out what might be going on, I found through outside
resolvers the names (four) and IP Addresses (four each for 16 total) of the SOA
servers for the securestate.com domain.
When we issue a DNS query specifically against an IP Address of one of the
SOA servers for securestate.com, for its own name, we get a NOERROR response
with no data.
When we use other DNS resolvers, outside of our network, they seem to be
resolving just fine.
I've included the various flavors of dig queries and the meat of our
named.conf file.
Since our customers, or one of them, see a SERVEFAIL it, of course, just has
to be our DNS servers' fault so, any ideas or hints will be greatly appreciated.
When I try a basic dig, I get:
dig mystate.securestate.com
; <<>> DiG 9.9.4-P2 <<>> mystate.securestate.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39627
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;securestate.com. IN A
;; Query time: 2993 msec
;; SERVER: 164.165.147.231#53(164.165.147.231)
;; WHEN: Mon Sep 29 15:59:14 MDT 2014
;; MSG SIZE rcvd: 44
If I try a dig +trace, I get:
dig +trace mystate.securestate.com
; <<>> DiG 9.9.4-P2 <<>> +trace mystate.securestate.com
;; global options: +cmd
. 83701 IN NS e.root-servers.net.
. 83701 IN NS f.root-servers.net.
. 83701 IN NS i.root-servers.net.
. 83701 IN NS m.root-servers.net.
. 83701 IN NS d.root-servers.net.
. 83701 IN NS h.root-servers.net.
. 83701 IN NS b.root-servers.net.
. 83701 IN NS j.root-servers.net.
. 83701 IN NS k.root-servers.net.
. 83701 IN NS c.root-servers.net.
. 83701 IN NS l.root-servers.net.
. 83701 IN NS a.root-servers.net.
. 83701 IN NS g.root-servers.net.
. 84848 IN RRSIG NS 8 0 518400 20141006170000
20140929160000 8230 . hJNK+x67Ai+uAd34igab0odq4vISCMZEwDbopatCxN2/AzKDdkYsCYoE
hfQv8/yYaMR15v0WSYXQomGF66bA6dXe2lzCKEALmkkgy0TTp4xkbTC7
QarlfKJhVwg4TlowxQ5o94ZwYi+6uWXoOM0r6CfdhEFCm8WgZrLd65F1 oTo=
;; Received 913 bytes from 164.165.147.231#53(164.165.147.231) in 589 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20141006170000
20140929160000 8230 . OuUj3aWJQOMDLAO5i33XuhfZNJvjqjbIa6L7Q8rzlXNag153/G0Z6MI3
/1QubWOH9iJVjZLEJhoB7LI5kPEHLo2Hde5iYPCuDGbFbYI7pXSqwTfT
VPgquQGpkgRDeFFM0JHt/qud5fUz5PNsv4QA57vJAJU/n9U72to5dtMm tjM=
;; Received 747 bytes from 199.7.83.42#53(l.root-servers.net) in 1176 ms
securestate.com. 172800 IN NS ns5.gi.net.
securestate.com. 172800 IN NS ns6.gi.net.
securestate.com. 172800 IN NS ns7.gi.net.
securestate.com. 172800 IN NS ns8.gi.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400
20141004044954 20140927033954 6122 com.
zVV+Rlagl8V4U36B36XISeL4D652mt25miImUk4gmRotumeuX4EENG99
AEcNhKuP6SSzRa2Zx3uTgHMGlugSISDd4gwQEPb8tckKjQhzuEFucek2
IklgGEs4zKXW5BzVLNo+RZ/ARuuXm/G4PEHWxTm1sAf4HrWTbtMZ3o53 rj4=
PFP6JL7O9OUUBU0U0OHIOD8RQEQAULG3.com. 86400 IN NSEC3 1 1 0 -
PFPAGH2299I07EHT4G9EC1S03HUET784 NS DS RRSIG
PFP6JL7O9OUUBU0U0OHIOD8RQEQAULG3.com. 86400 IN RRSIG NSEC3 8 2 86400
20141006043024 20140929032024 6122 com.
X62NE0ptCBOBwvbGLO517nIqLthVeQrpEZRcHebfRbfyrx4Bwrx7NoPx
2zRVDgtSAN6hTVWHyX+qgFKqGl7w59fL7nhFL718i8sMkaKpPxgyN+60
eLwC0lzMXoPv9od7Odl3/z91d9VwLpFhCTDK7PurOIcfLI0qv9vr03vE 2yQ=
dig: couldn't get address for 'ns5.gi.net': no more
If I try a query specifically against the IP Address advertised as SOA for
this domain (ns5.gi.net - 50.23.136.173), I get a resolution:
dig @50.23.136.173 mystate.securestate.com
; <<>> DiG 9.9.4-P2 <<>> @50.23.136.173 mystate.securestate.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19186
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mystate.securestate.com. IN A
;; ANSWER SECTION:
mystate.securestate.com. 14400 IN A 98.103.44.125
;; Query time: 27 msec
;; SERVER: 50.23.136.173#53(50.23.136.173)
;; WHEN: Mon Sep 29 16:05:31 MDT 2014
;; MSG SIZE rcvd: 57
However, if I try a dig against any IP Address for the host record of the
server associated with that specific IP Address (50.23.136.173 - ns5.gi.net) I
get:
dig @50.23.136.173 ns5.gi.net
; <<>> DiG 9.9.4-P2 <<>> @50.23.136.173 ns5.gi.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25692
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns5.gi.net. IN A
;; Query time: 20 msec
;; SERVER: 50.23.136.173#53(50.23.136.173)
;; WHEN: Mon Sep 29 16:09:28 MDT 2014
;; MSG SIZE rcvd: 28
Here is my named.conf file:
acl "state-network" {
164.165.0.0/16; 192.102.16.0/24; 192.207.45.0/24;
};
acl "labor-network" {
204.144.104.0/24;
};
acl "access-idaho" {
206.81.140.0/25; 63.226.87.146/29;
};
acl "internal-nat" {
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};
options {
directory "/conf";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
dump-file "/var/run/named.db";
version "[secured]";
hostname "[secured]";
dnssec-enable yes;
dnssec-validation auto;
recursion yes;
allow-update { none; };
allow-notify { 164.165.207.44; };
allow-query { state-network; labor-network; internal-nat; };
allow-query-cache { state-network; labor-network; internal-nat; };
transfer-format many-answers;
max-transfer-time-in 60;
max-cache-ttl 86400;
max-ncache-ttl 600;
max-cache-size 50M;
};
zone "." {
type hint;
file "db.rootcache";
};
zone "localhost" {
type master;
file "db.localhost";
notify no;
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};
Jon Eckerle - Hostmaster
Idaho Office of the Chief Information Officer
650 West State Street
Boise, Idaho 83720
Certified DNS Associate
Certified DNSSEC Expert
[email protected]
[email protected]
(208) 332-1803
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
