May be you have problems not with the servers ns[5-8].gi.net, but with ns[12].gi.net, which are authoritative for gi.net zone.
2014-09-30 2:18 GMT+04:00 Jon Eckerle <[email protected]>: > Sorry if this seems longish but, I'd rather give you all I can think of > that might help than to leave you wondering what I'm talking about. > > We are having a problem getting DNS recursive resolutions for > seecurestate.com domain names, specifically mystate.securestate.com. > > I should mention here that, at present, this is the only domain we are > having issues with. > > When we issue a DNS query from any of our four BIND 9.9.4-P2 recursive > servers, which are inside of our network, for the mystate.securestate.com > domain, we consistently get a SERVFAIL response. > > When we issue a DNS query specifically for the SOA Name servers' A > records, we get a SERVFAIL response. > > In trying to figure out what might be going on, I found through outside > resolvers the names (four) and IP Addresses (four each for 16 total) of the > SOA servers for the securestate.com domain. > > When we issue a DNS query specifically against an IP Address of one of the > SOA servers for securestate.com, for its own name, we get a NOERROR response > with no data. > > When we use other DNS resolvers, outside of our network, they seem to be > resolving just fine. > > I've included the various flavors of dig queries and the meat of our > named.conf file. > > Since our customers, or one of them, see a SERVEFAIL it, of course, just > has to be our DNS servers' fault so, any ideas or hints will be greatly > appreciated. > > When I try a basic dig, I get: > > dig mystate.securestate.com > > ; <<>> DiG 9.9.4-P2 <<>> mystate.securestate.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39627 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;securestate.com. IN A > > ;; Query time: 2993 msec > ;; SERVER: 164.165.147.231#53(164.165.147.231) > ;; WHEN: Mon Sep 29 15:59:14 MDT 2014 > ;; MSG SIZE rcvd: 44 > > If I try a dig +trace, I get: > > dig +trace mystate.securestate.com > > ; <<>> DiG 9.9.4-P2 <<>> +trace mystate.securestate.com > ;; global options: +cmd > . 83701 IN NS e.root-servers.net. > . 83701 IN NS f.root-servers.net. > . 83701 IN NS i.root-servers.net. > . 83701 IN NS m.root-servers.net. > . 83701 IN NS d.root-servers.net. > . 83701 IN NS h.root-servers.net. > . 83701 IN NS b.root-servers.net. > . 83701 IN NS j.root-servers.net. > . 83701 IN NS k.root-servers.net. > . 83701 IN NS c.root-servers.net. > . 83701 IN NS l.root-servers.net. > . 83701 IN NS a.root-servers.net. > . 83701 IN NS g.root-servers.net. > . 84848 IN RRSIG NS 8 0 518400 20141006170000 > 20140929160000 8230 . > hJNK+x67Ai+uAd34igab0odq4vISCMZEwDbopatCxN2/AzKDdkYsCYoE > hfQv8/yYaMR15v0WSYXQomGF66bA6dXe2lzCKEALmkkgy0TTp4xkbTC7 > QarlfKJhVwg4TlowxQ5o94ZwYi+6uWXoOM0r6CfdhEFCm8WgZrLd65F1 oTo= > ;; Received 913 bytes from 164.165.147.231#53(164.165.147.231) in 589 ms > > com. 172800 IN NS a.gtld-servers.net. > com. 172800 IN NS b.gtld-servers.net. > com. 172800 IN NS c.gtld-servers.net. > com. 172800 IN NS d.gtld-servers.net. > com. 172800 IN NS e.gtld-servers.net. > com. 172800 IN NS f.gtld-servers.net. > com. 172800 IN NS g.gtld-servers.net. > com. 172800 IN NS h.gtld-servers.net. > com. 172800 IN NS i.gtld-servers.net. > com. 172800 IN NS j.gtld-servers.net. > com. 172800 IN NS k.gtld-servers.net. > com. 172800 IN NS l.gtld-servers.net. > com. 172800 IN NS m.gtld-servers.net. > com. 86400 IN DS 30909 8 2 > E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 > com. 86400 IN RRSIG DS 8 1 86400 20141006170000 > 20140929160000 8230 . > OuUj3aWJQOMDLAO5i33XuhfZNJvjqjbIa6L7Q8rzlXNag153/G0Z6MI3 > /1QubWOH9iJVjZLEJhoB7LI5kPEHLo2Hde5iYPCuDGbFbYI7pXSqwTfT > VPgquQGpkgRDeFFM0JHt/qud5fUz5PNsv4QA57vJAJU/n9U72to5dtMm tjM= > ;; Received 747 bytes from 199.7.83.42#53(l.root-servers.net) in 1176 ms > > securestate.com. 172800 IN NS ns5.gi.net. > securestate.com. 172800 IN NS ns6.gi.net. > securestate.com. 172800 IN NS ns7.gi.net. > securestate.com. 172800 IN NS ns8.gi.net. > CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - > CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM > CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 > 20141004044954 20140927033954 6122 com. > zVV+Rlagl8V4U36B36XISeL4D652mt25miImUk4gmRotumeuX4EENG99 > AEcNhKuP6SSzRa2Zx3uTgHMGlugSISDd4gwQEPb8tckKjQhzuEFucek2 > IklgGEs4zKXW5BzVLNo+RZ/ARuuXm/G4PEHWxTm1sAf4HrWTbtMZ3o53 rj4= > PFP6JL7O9OUUBU0U0OHIOD8RQEQAULG3.com. 86400 IN NSEC3 1 1 0 - > PFPAGH2299I07EHT4G9EC1S03HUET784 NS DS RRSIG > PFP6JL7O9OUUBU0U0OHIOD8RQEQAULG3.com. 86400 IN RRSIG NSEC3 8 2 86400 > 20141006043024 20140929032024 6122 com. > X62NE0ptCBOBwvbGLO517nIqLthVeQrpEZRcHebfRbfyrx4Bwrx7NoPx > 2zRVDgtSAN6hTVWHyX+qgFKqGl7w59fL7nhFL718i8sMkaKpPxgyN+60 > eLwC0lzMXoPv9od7Odl3/z91d9VwLpFhCTDK7PurOIcfLI0qv9vr03vE 2yQ= > dig: couldn't get address for 'ns5.gi.net': no more > > If I try a query specifically against the IP Address advertised as SOA for > this domain (ns5.gi.net - 50.23.136.173), I get a resolution: > > dig @50.23.136.173 mystate.securestate.com > > ; <<>> DiG 9.9.4-P2 <<>> @50.23.136.173 mystate.securestate.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19186 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;mystate.securestate.com. IN A > > ;; ANSWER SECTION: > mystate.securestate.com. 14400 IN A 98.103.44.125 > > ;; Query time: 27 msec > ;; SERVER: 50.23.136.173#53(50.23.136.173) > ;; WHEN: Mon Sep 29 16:05:31 MDT 2014 > ;; MSG SIZE rcvd: 57 > > However, if I try a dig against any IP Address for the host record of the > server associated with that specific IP Address (50.23.136.173 - ns5.gi.net) > I get: > > dig @50.23.136.173 ns5.gi.net > > ; <<>> DiG 9.9.4-P2 <<>> @50.23.136.173 ns5.gi.net > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25692 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;ns5.gi.net. IN A > > ;; Query time: 20 msec > ;; SERVER: 50.23.136.173#53(50.23.136.173) > ;; WHEN: Mon Sep 29 16:09:28 MDT 2014 > ;; MSG SIZE rcvd: 28 > > Here is my named.conf file: > > acl "state-network" { > 164.165.0.0/16; 192.102.16.0/24; 192.207.45.0/24; > }; > > acl "labor-network" { > 204.144.104.0/24; > }; > > acl "access-idaho" { > 206.81.140.0/25; 63.226.87.146/29; > }; > > acl "internal-nat" { > 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; > }; > > options { > directory "/conf"; > pid-file "/var/run/named.pid"; > statistics-file "/var/run/named.stats"; > dump-file "/var/run/named.db"; > version "[secured]"; > hostname "[secured]"; > dnssec-enable yes; > dnssec-validation auto; > recursion yes; > allow-update { none; }; > allow-notify { 164.165.207.44; }; > allow-query { state-network; labor-network; internal-nat; }; > allow-query-cache { state-network; labor-network; internal-nat; }; > transfer-format many-answers; > max-transfer-time-in 60; > max-cache-ttl 86400; > max-ncache-ttl 600; > max-cache-size 50M; > }; > > zone "." { > type hint; > file "db.rootcache"; > }; > > zone "localhost" { > type master; > file "db.localhost"; > notify no; > }; > > zone "0.0.127.in-addr.arpa" { > type master; > file "db.127.0.0"; > notify no; > }; > > > Jon Eckerle - Hostmaster > Idaho Office of the Chief Information Officer > 650 West State Street > Boise, Idaho 83720 > > Certified DNS Associate > Certified DNSSEC Expert > [email protected] > [email protected] > (208) 332-1803 > > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Is there any problem Exterminatus cannot solve? I have not found one yet. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
