Re: bind does not resolved all domains (SERVFAIL)

2017-01-13 Thread Jim Glassford 

Hi,
For me, today's problem is philasd.org, getting SERVFAIL
# dig  +trace philasd.org
couldn't get address for 'dns1.philasd.org': not found
couldn't get address for 'dns2.philasd.org': not found
dig: couldn't get address for 'dns1.philasd.org': no more


/ Missing nameservers reported by parent/
/ FAIL: The following nameservers are listed at your nameservers as 
nameservers for your domain, but are not listed at the parent 
nameservers (see RFC2181 5.4.1). You need to make sure that these 
nameservers are working.If they are not working ok, you may have 
problems! //

*dns2.phila.k12.pa.us*//
*dns1.phila.k12.pa.us*/

/SOA record/
/Hostmaster E-mail address: /*/please_set_email.absolutely.nowhere
/
*best!*

*
On 1/13/2017 4:06 AM, Matus UHLAR - fantomas wrote:

On 13.01.17 09:57, Clément Fevrier wrote:

I have a weird issue. I have at least one domain that bind9 can't
resolved (phdcomics.com, so a very important one ^^), with status
SERVFAIL. Bind server IP is 192.168.1.8, client is 192.168.1.7


Example #1
*client*
% dig phdcomics.com


try:

dig +trace any phdcomics.com

that should help more than comparing to other nameservers if they can 
query

that domain.

Note that the domain has mismatched delegation, according to some DNS
checkers. also, the servers have very short TTLs.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question on prod.msocdn.com

2016-11-11 Thread Jim Glassford 

Just fyi,
Found my problem here, our Tipping Point IPS was misbehaving for 
msocdn.com, all well now.
The contributors on the ISC lists are a wealth of information and 
appreciated.

best!
jim

On 11/9/2016 2:50 PM, Jim Glassford wrote:

On 11/9/2016 2:42 PM, Jim Glassford wrote:



On 11/9/2016 4:55 AM, Tony Finch wrote:

Jim Glassford <jmgl...@iup.edu> wrote:
Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd 
either

timeout or SERVFAIL depending on version of bind.

It works for me with BIND 9.11 and 9.10.4-P4.

There are some EDNS-related changes in 9.10 which might be why these
versions are better able to resolve this domain.

It looks like you are running 9.8.2rc1, which was released in 2012 (and
9.8 was EOL 2 years ago) and 9.9.4 which is 3 years old. You can't 
rely on

Red Hat to backport all the relevant fixes, so if you are running an
important production service on BIND you should use the latest versions
from isc.org.

dnssec-debugger.versignlabs.com on prod.msocdn.com and not sure, 
looks like

the problem is in dspg.akamaiedge.net?

Yes, there are several problems on the Akamai side of things
http://dnsviz.net/d/prod.msocdn.com/dnssec/

Tony.


Thanks Tony and also others that replied off list.
I installed 9.11.0-P1 and having the same issue. Tried out the nta 
and hey, It works pretty sweet.

Not sure what my problem is here but will continue to trouble shoot.
best!
jim

[root@dns3 bind-9.11.0-P1]# rndc status
version: BIND 9.11.0-P1 
running on dns3: Linux x86_64 2.6.32-642.6.2.el6.x86_64 #1 SMP Mon 
Oct 24 10:22:33 EDT 2016

boot time: Wed, 09 Nov 2016 19:24:10 GMT
last configured: Wed, 09 Nov 2016 19:24:10 GMT
configuration file: /etc/named.conf
CPUs found: 2
worker threads: 2
UDP listeners per interface: 1
number of zones: 175 (80 automatic)
debug level: 3
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/9900/1
tcp clients: 0/150
server is up and running


[root@dns3 bind-9.11.0-P1]# dig prod.msocdn.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65097
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;prod.msocdn.com.   IN  A
;; Query time: 4002 msec
;; WHEN: Wed Nov  9 14:40:02 2016
;; MSG SIZE  rcvd: 33

[root@dns3 bind-9.11.0-P1]#
[root@dns3 bind-9.11.0-P1]# rndc nta prod.msocdn.com
Negative trust anchor added: prod.msocdn.com/_default, expires 
09-Nov-2016 15:40:58.000

[root@dns3 bind-9.11.0-P1]#
[root@dns3 bind-9.11.0-P1]# dig prod.msocdn.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25756
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 9, ADDITIONAL: 9

;; QUESTION SECTION:
;prod.msocdn.com.   IN  A

;; ANSWER SECTION:
prod.msocdn.com.3600IN  CNAME 
wildcard.msocdn.com.edgekey.net.

wildcard.msocdn.com.edgekey.net. 300 IN CNAME e7566.dspg.akamaiedge.net.
e7566.dspg.akamaiedge.net. 20   IN  A   104.95.43.11

;; AUTHORITY SECTION:
dspg.akamaiedge.net.4000IN  NS n2dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n4dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n1dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n6dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n3dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n5dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n7dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n0dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS a0dspg.akamaiedge.net.

;; ADDITIONAL SECTION:
n7dspg.akamaiedge.net.  8000IN  A   165.254.211.12
n5dspg.akamaiedge.net.  4000IN  A   165.254.211.14
n2dspg.akamaiedge.net.  4000IN  A   165.254.211.20
n4dspg.akamaiedge.net.  8000IN  A   165.254.211.15
n0dspg.akamaiedge.net.  4000IN  A   209.48.71.63
n1dspg.akamaiedge.net.  6000IN  A   88.221.81.194
n3dspg.akamaiedge.net.  6000IN  A   209.8.212.93
n6dspg.akamaiedge.net.  6000IN  A   165.254.211.13
a0dspg.akamaiedge.net.  8000IN   2600:1480:e800::c0

;; Query time: 1282 msec
;; WHEN: Wed Nov  9 14:41:14 2016
;; MSG SIZE  rcvd: 475

[root@dns3 bind-9.11.0-P1]#



Sorry, stupid of me, wrong dig version for the show :-(
correct version below;

[root@dns3 bind-9.11.0-P1]# dig prod.msocdn.com

; <<>> DiG 9.11.0-P1 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6415
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
;

Re: Question on prod.msocdn.com

2016-11-09 Thread Jim Glassford 

On 11/9/2016 2:42 PM, Jim Glassford wrote:



On 11/9/2016 4:55 AM, Tony Finch wrote:

Jim Glassford <jmgl...@iup.edu> wrote:

Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either
timeout or SERVFAIL depending on version of bind.

It works for me with BIND 9.11 and 9.10.4-P4.

There are some EDNS-related changes in 9.10 which might be why these
versions are better able to resolve this domain.

It looks like you are running 9.8.2rc1, which was released in 2012 (and
9.8 was EOL 2 years ago) and 9.9.4 which is 3 years old. You can't 
rely on

Red Hat to backport all the relevant fixes, so if you are running an
important production service on BIND you should use the latest versions
from isc.org.

dnssec-debugger.versignlabs.com on prod.msocdn.com and not sure, 
looks like

the problem is in dspg.akamaiedge.net?

Yes, there are several problems on the Akamai side of things
http://dnsviz.net/d/prod.msocdn.com/dnssec/

Tony.


Thanks Tony and also others that replied off list.
I installed 9.11.0-P1 and having the same issue. Tried out the nta and 
hey, It works pretty sweet.

Not sure what my problem is here but will continue to trouble shoot.
best!
jim

[root@dns3 bind-9.11.0-P1]# rndc status
version: BIND 9.11.0-P1 
running on dns3: Linux x86_64 2.6.32-642.6.2.el6.x86_64 #1 SMP Mon Oct 
24 10:22:33 EDT 2016

boot time: Wed, 09 Nov 2016 19:24:10 GMT
last configured: Wed, 09 Nov 2016 19:24:10 GMT
configuration file: /etc/named.conf
CPUs found: 2
worker threads: 2
UDP listeners per interface: 1
number of zones: 175 (80 automatic)
debug level: 3
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/9900/1
tcp clients: 0/150
server is up and running


[root@dns3 bind-9.11.0-P1]# dig prod.msocdn.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65097
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;prod.msocdn.com.   IN  A
;; Query time: 4002 msec
;; WHEN: Wed Nov  9 14:40:02 2016
;; MSG SIZE  rcvd: 33

[root@dns3 bind-9.11.0-P1]#
[root@dns3 bind-9.11.0-P1]# rndc nta prod.msocdn.com
Negative trust anchor added: prod.msocdn.com/_default, expires 
09-Nov-2016 15:40:58.000

[root@dns3 bind-9.11.0-P1]#
[root@dns3 bind-9.11.0-P1]# dig prod.msocdn.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25756
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 9, ADDITIONAL: 9

;; QUESTION SECTION:
;prod.msocdn.com.   IN  A

;; ANSWER SECTION:
prod.msocdn.com.3600IN  CNAME 
wildcard.msocdn.com.edgekey.net.

wildcard.msocdn.com.edgekey.net. 300 IN CNAME e7566.dspg.akamaiedge.net.
e7566.dspg.akamaiedge.net. 20   IN  A   104.95.43.11

;; AUTHORITY SECTION:
dspg.akamaiedge.net.4000IN  NS n2dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n4dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n1dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n6dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n3dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n5dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n7dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n0dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS a0dspg.akamaiedge.net.

;; ADDITIONAL SECTION:
n7dspg.akamaiedge.net.  8000IN  A   165.254.211.12
n5dspg.akamaiedge.net.  4000IN  A   165.254.211.14
n2dspg.akamaiedge.net.  4000IN  A   165.254.211.20
n4dspg.akamaiedge.net.  8000IN  A   165.254.211.15
n0dspg.akamaiedge.net.  4000IN  A   209.48.71.63
n1dspg.akamaiedge.net.  6000IN  A   88.221.81.194
n3dspg.akamaiedge.net.  6000IN  A   209.8.212.93
n6dspg.akamaiedge.net.  6000IN  A   165.254.211.13
a0dspg.akamaiedge.net.  8000IN  2600:1480:e800::c0

;; Query time: 1282 msec
;; WHEN: Wed Nov  9 14:41:14 2016
;; MSG SIZE  rcvd: 475

[root@dns3 bind-9.11.0-P1]#



Sorry, stupid of me, wrong dig version for the show :-(
correct version below;

[root@dns3 bind-9.11.0-P1]# dig prod.msocdn.com

; <<>> DiG 9.11.0-P1 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6415
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7accb22e23d969e7b1b834bb58237d6c6ce2e0e5666f14bc (good)
;; QUESTION SECTION:
;prod.msocdn.com.   IN  A

;; Query time: 4015 msec
;; WHEN: Wed Nov 09 14:47:56 EST 2016
;; MSG SIZE

Re: [Ext] Re: Question on prod.msocdn.com

2016-11-09 Thread Jim Glassford 



On 11/9/2016 4:55 AM, Tony Finch wrote:

Jim Glassford <jmgl...@iup.edu> wrote:

Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either
timeout or SERVFAIL depending on version of bind.

It works for me with BIND 9.11 and 9.10.4-P4.

There are some EDNS-related changes in 9.10 which might be why these
versions are better able to resolve this domain.

It looks like you are running 9.8.2rc1, which was released in 2012 (and
9.8 was EOL 2 years ago) and 9.9.4 which is 3 years old. You can't rely on
Red Hat to backport all the relevant fixes, so if you are running an
important production service on BIND you should use the latest versions
from isc.org.


dnssec-debugger.versignlabs.com on prod.msocdn.com and not sure, looks like
the problem is in dspg.akamaiedge.net?

Yes, there are several problems on the Akamai side of things
http://dnsviz.net/d/prod.msocdn.com/dnssec/

Tony.


Thanks Tony and also others that replied off list.
I installed 9.11.0-P1 and having the same issue. Tried out the nta and 
hey, It works pretty sweet.

Not sure what my problem is here but will continue to trouble shoot.
best!
jim

[root@dns3 bind-9.11.0-P1]# rndc status
version: BIND 9.11.0-P1 
running on dns3: Linux x86_64 2.6.32-642.6.2.el6.x86_64 #1 SMP Mon Oct 
24 10:22:33 EDT 2016

boot time: Wed, 09 Nov 2016 19:24:10 GMT
last configured: Wed, 09 Nov 2016 19:24:10 GMT
configuration file: /etc/named.conf
CPUs found: 2
worker threads: 2
UDP listeners per interface: 1
number of zones: 175 (80 automatic)
debug level: 3
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/9900/1
tcp clients: 0/150
server is up and running


[root@dns3 bind-9.11.0-P1]# dig prod.msocdn.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65097
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;prod.msocdn.com.   IN  A
;; Query time: 4002 msec
;; WHEN: Wed Nov  9 14:40:02 2016
;; MSG SIZE  rcvd: 33

[root@dns3 bind-9.11.0-P1]#
[root@dns3 bind-9.11.0-P1]# rndc nta prod.msocdn.com
Negative trust anchor added: prod.msocdn.com/_default, expires 
09-Nov-2016 15:40:58.000

[root@dns3 bind-9.11.0-P1]#
[root@dns3 bind-9.11.0-P1]# dig prod.msocdn.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25756
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 9, ADDITIONAL: 9

;; QUESTION SECTION:
;prod.msocdn.com.   IN  A

;; ANSWER SECTION:
prod.msocdn.com.3600IN  CNAME 
wildcard.msocdn.com.edgekey.net.

wildcard.msocdn.com.edgekey.net. 300 IN CNAME e7566.dspg.akamaiedge.net.
e7566.dspg.akamaiedge.net. 20   IN  A   104.95.43.11

;; AUTHORITY SECTION:
dspg.akamaiedge.net.4000IN  NS n2dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n4dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n1dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n6dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n3dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n5dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n7dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS n0dspg.akamaiedge.net.
dspg.akamaiedge.net.4000IN  NS a0dspg.akamaiedge.net.

;; ADDITIONAL SECTION:
n7dspg.akamaiedge.net.  8000IN  A   165.254.211.12
n5dspg.akamaiedge.net.  4000IN  A   165.254.211.14
n2dspg.akamaiedge.net.  4000IN  A   165.254.211.20
n4dspg.akamaiedge.net.  8000IN  A   165.254.211.15
n0dspg.akamaiedge.net.  4000IN  A   209.48.71.63
n1dspg.akamaiedge.net.  6000IN  A   88.221.81.194
n3dspg.akamaiedge.net.  6000IN  A   209.8.212.93
n6dspg.akamaiedge.net.  6000IN  A   165.254.211.13
a0dspg.akamaiedge.net.  8000IN  2600:1480:e800::c0

;; Query time: 1282 msec
;; WHEN: Wed Nov  9 14:41:14 2016
;; MSG SIZE  rcvd: 475

[root@dns3 bind-9.11.0-P1]#




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question on prod.msocdn.com

2016-11-08 Thread Jim Glassford 

Greetings,

Query the list, any verification or pointers appreciated. We are having 
dns issues for prod.msocdn.com starting on Monday 11/7/2016 and I just 
thought it was DNSSEC issue on their end but not so sure anymore.
Doing dig +cd on prod.msocnd.com will get the CNAME, without +cd either 
timeout or SERVFAIL depending on version of bind. Used 
dnssec-debugger.versignlabs.com on prod.msocdn.com and not sure, looks 
like the problem is in dspg.akamaiedge.net?
Doing dig with +trace and I will get it resolve to the CNAME, do 
flushname or a restart the named service same results, timeout or 
SERFAIL without using either +cd or +trace. I would think the +trace 
should fail also, it is not so I do not understand the +trace, if not 
bad cache on local server?


$ dig  prod.msocdn.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48931
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;prod.msocdn.com.   IN  A

;; Query time: 0 msec
;; WHEN: Tue Nov 08 19:07:26 EST 2016
;; MSG SIZE  rcvd: 44

$ dig +cd prod.msocdn.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +cd prod.msocdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9519
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 9, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;prod.msocdn.com.   IN  A

;; ANSWER SECTION:
prod.msocdn.com.2446IN  CNAME 
wildcard.msocdn.com.edgekey.net.

wildcard.msocdn.com.edgekey.net. 254 IN CNAME e7566.dspg.akamaiedge.net.
e7566.dspg.akamaiedge.net. 20   IN  A   104.95.43.11

;; AUTHORITY SECTION:
dspg.akamaiedge.net.2570IN  NS n7dspg.akamaiedge.net.
dspg.akamaiedge.net.2570IN  NS a0dspg.akamaiedge.net.
dspg.akamaiedge.net.2570IN  NS n6dspg.akamaiedge.net.
dspg.akamaiedge.net.2570IN  NS n1dspg.akamaiedge.net.
dspg.akamaiedge.net.2570IN  NS n4dspg.akamaiedge.net.
dspg.akamaiedge.net.2570IN  NS n2dspg.akamaiedge.net.
dspg.akamaiedge.net.2570IN  NS n0dspg.akamaiedge.net.
dspg.akamaiedge.net.2570IN  NS n3dspg.akamaiedge.net.
dspg.akamaiedge.net.2570IN  NS n5dspg.akamaiedge.net.

;; ADDITIONAL SECTION:
n1dspg.akamaiedge.net.  4570IN  A   209.48.71.60
n0dspg.akamaiedge.net.  2570IN  A   209.8.212.110
n2dspg.akamaiedge.net.  6570IN  A   88.221.81.194
a0dspg.akamaiedge.net.  2570IN  2600:1480:e800::c0
n6dspg.akamaiedge.net.  4570IN  A   165.254.211.13
n4dspg.akamaiedge.net.  6570IN  A   165.254.211.15
n5dspg.akamaiedge.net.  2570IN  A   165.254.211.14
n7dspg.akamaiedge.net.  6570IN  A   165.254.211.12
n3dspg.akamaiedge.net.  4570IN  A   165.254.211.20

;; Query time: 16 msec
;; WHEN: Tue Nov 08 19:08:02 EST 2016
;; MSG SIZE  rcvd: 486



$ dig +trace prod.msocdn.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +trace prod.msocdn.com
;; global options: +cmd
.   518400  IN  NS  c.root-servers.net.
.   518400  IN  NS  k.root-servers.net.
.   518400  IN  NS  f.root-servers.net.
.   518400  IN  NS  j.root-servers.net.
.   518400  IN  NS  l.root-servers.net.
.   518400  IN  NS  i.root-servers.net.
.   518400  IN  NS  e.root-servers.net.
.   518400  IN  NS  h.root-servers.net.
.   518400  IN  NS  b.root-servers.net.
.   518400  IN  NS  a.root-servers.net.
.   518400  IN  NS  d.root-servers.net.
.   518400  IN  NS  g.root-servers.net.
.   518400  IN  NS  m.root-servers.net.


com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.

Re: [Ext] RRL settings that work for you

2015-05-27 Thread Jim Glassford 

Hi Mike,

In production since July 2013 without complaints and believe it has 
helped here.

rate-limit { responses-per-second 10; window 5; };

best!
jim

On 5/26/2015 5:00 PM, Mike Hoskins (michoski) wrote:

Hi folks,

I've read about RRL with interest since its inception, but just now
getting around to rolling it out.  That is partially because we run a very
small authoritative infrastructure serving mostly as Akamai EDNS origins.
However, since it is exposed externally, used by a few tenants and RRL has
been running in the wild for awhile now...we decided to finally hop on the
bandwagon as part of our latest round of DNS infrastructure upgrades.

We are experimenting in log-only mode, and wanted to get feedback on
settings which work well for others in production.  So far we have the
following which appears to work well (not limiting typical clients during
normal operation):

rate-limit {
log-only yes;
ipv4-prefix-length 32;
window 10;
responses-per-second 20;
nxdomains-per-second 10;
exempt-clients {
[...]
};




};


However, as we've mostly just been turning knobs in an attempt to minimize
log entries...  insight from operators is appreciated.

Thanks!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master to Slave initial zone transfer question

2014-04-16 Thread Jim Glassford 

On 4/16/2014 11:35 AM, Barry Margolin wrote:

In article mailman.2651.1397662255.20661.bind-us...@lists.isc.org,
  Jeronimo L. Cabral jelocab...@gmail.com wrote:


Dear, I've implemented two Debian 7 servers with Bind9 as a Master - Slave
schema.

Everything works OK, but I have just a question:

When a create a new zone in the Master and reload the bind9 daemon, this
zone doesn't appear automatically in the Slaveit only appears if I
restart the bind9 daemon in the Slave server.

Is this behaviour correct or is there any statement to transfer a new zone
from Master to Slave withouth restarting the bind9 daemon in the Slave ???

To pick up new zones added to named.conf, you just need to use:

rndc reconfig

You don't need to restart the daemon on either the master or slave.



To quicken the update process can use also-notify in options

   also-notify {
slave1.n.n.n;
slave2.n.n.n;
   };

*also-notify*

   Only meaningful if *notify* is active for this zone. The set of
   machines that will receive a |DNS NOTIFY| message for this zone is
   made up of all the listed name servers (other than the primary
   master) for the zone plus any IP addresses specified with
   *also-notify*. A port may be specified with each *also-notify*
   address to send the notify messages to a port other than the default
   of 53. *also-notify* is not meaningful for stub zones. The default
   is the empty list.

best!
jim



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD Named.

2013-03-28 Thread Jim Glassford 

Hi Jim,

Lost track but have you tried using the IP address of the server for the 
primary, 172.10.20.101 instead of 127.0.0.1?


zone dhcp.coloradostudios.com. {
   primary 172.10.20.101; - change from 
127.0.0.1

   key DHCP_UPDATER;
}


best!
jim


On 3/28/2013 1:31 PM, Jim Bucks wrote:

Hi Sten,

Thanks for the response,  I only dabble in DNS setups every 5 years 
(or so).  I really thought this would be a no brainer, and most 
likely have some simple command / syntax error causing all of this.


From /var/log/messages

Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to 
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from 
dhcp-172-10-20-101.coloradostudios.com 
http://dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101 
http://172.10.20.101: timed out
Mar 28 11:22:57 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 
(172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: DHCPACK on 172.10.20.101 to 
00:0b:cd:33:b6:49 (proccilapxp) via eth1



On Thu, Mar 28, 2013 at 11:26 AM, Sten Carlsen st...@s-carlsen.dk 
mailto:st...@s-carlsen.dk wrote:


Apparently the DHCP server tries to put the change into BIND but
times out. What does the named log tell about this?

Either it did see the request or it will have an explanation why
it won't do it.

On 28/03/13 18:18, Jim Bucks wrote:

Hi Mark, Graham,  others.

I've spent the last day trying all sorts of things to get this
working (to no avail).  I'm still at the stage of DHCP offering
the lease IP address, but the DNS is not automatically updating
the two zones files with the newly leased addresses.

Here is a grief summary of what I tried/changed.
   - Added the group named to the dhcpd user
   - moved the two zones files into
/var/named/chroot/var/named/slaves/  (was internal/)
   - added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
   - grabbed a current version named.conf file and added the bare
minimum config into into it.

Attached are my configs.

Any ideas on what I've hosed up?

Thanks,

Jim



-- 
Jim Bucks - IT Director

Colorado Studios http://www.coloradostudios.com, Mobile TV
Group http://www.mobiletvgroup.com, HDNet http://www.hd.net,
AXS.tv http://www.axs.tv/
8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500
tel:303-388-8500
jbu...@coloradostudios.com mailto:jbu...@coloradostudios.com   
Direct 303-542-5520 tel:303-542-5520



___
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org  mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


-- 
Best regards


Sten Carlsen

No improvements come from shouting:

MALE BOVINE MANURE!!!


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




--
Jim Bucks - IT Director
Colorado Studios http://www.coloradostudios.com, Mobile TV Group 
http://www.mobiletvgroup.com, HDNet http://www.hd.net, AXS.tv 
http://www.axs.tv/

8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
jbu...@coloradostudios.com mailto:jbu...@coloradostudios.com 
   Direct 303-542-5520



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD Named.

2013-03-28 Thread Jim Glassford 

Hi Jim,

No, sorry, wrong IP address, the real IP address of the dns server, not 
the client.


zone dhcp.coloradostudios.com http://dhcp.coloradostudios.com. {
   primary your_dns_server_IP_address; - change from 127.0.0.1
   key DHCP_UPDATER;
}

Also do you have a /var/log/named.log file or debug log file for named, 
other than messages, might have more information.

Can try nsupdate with debug to see if this gives any clue also.
nsupdate -d
 server your_dns_server_here
 key  your_key_here
 update add 101.20.10.172.in-addr.arpa. 3600 in ptr 
dhcp-172-10-20-101.coloradostudios.com 
http://dhcp-172-10-20-101.coloradostudios.com.

  do extra CR to get it to go

should see lots of debug information here

 quit

man nsupdate

best!
jim

On 3/28/2013 1:52 PM, Jim Bucks wrote:
No I have not tried that, but .101 is a leased IP address for a 
Windows workstation.


I'm willing to try it, but it seems like that would mean I would need 
a zone like this for all of my leased addresses???



Jim

On Thu, Mar 28, 2013 at 11:42 AM, Jim Glassford jmgl...@iup.edu 
mailto:jmgl...@iup.edu wrote:


Hi Jim,

Lost track but have you tried using the IP address of the server
for the primary, 172.10.20.101 instead of 127.0.0.1?

zone dhcp.coloradostudios.com http://dhcp.coloradostudios.com. {
   primary 172.10.20.101; - change from 127.0.0.1
   key DHCP_UPDATER;
}


best!
jim


On 3/28/2013 1:31 PM, Jim Bucks wrote:

Hi Sten,

Thanks for the response,  I only dabble in DNS setups every 5
years (or so).  I really thought this would be a no brainer,
and most likely have some simple command / syntax error causing
all of this.

From /var/log/messages

Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from
dhcp-172-10-20-101.coloradostudios.com
http://dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101
http://172.10.20.101: timed out
Mar 28 11:22:57 dns04 dhcpd: DHCPREQUEST for 172.10.20.101
(172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: DHCPACK on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1


On Thu, Mar 28, 2013 at 11:26 AM, Sten Carlsen
st...@s-carlsen.dk mailto:st...@s-carlsen.dk wrote:

Apparently the DHCP server tries to put the change into BIND
but times out. What does the named log tell about this?

Either it did see the request or it will have an explanation
why it won't do it.

On 28/03/13 18:18, Jim Bucks wrote:

Hi Mark, Graham,  others.

I've spent the last day trying all sorts of things to get
this working (to no avail).  I'm still at the stage of DHCP
offering the lease IP address, but the DNS is not
automatically updating the two zones files with the newly
leased addresses.

Here is a grief summary of what I tried/changed.
   - Added the group named to the dhcpd user
   - moved the two zones files into
/var/named/chroot/var/named/slaves/  (was internal/)
   - added ENABLE_ZONE_WRITE=yes to /etc/sysconfig/named
   - grabbed a current version named.conf file and added the
bare minimum config into into it.

Attached are my configs.

Any ideas on what I've hosed up?

Thanks,

Jim



-- 
Jim Bucks - IT Director

Colorado Studios http://www.coloradostudios.com, Mobile TV
Group http://www.mobiletvgroup.com, HDNet
http://www.hd.net, AXS.tv http://www.axs.tv/
8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500
tel:303-388-8500
jbu...@coloradostudios.com
mailto:jbu...@coloradostudios.comDirect 303-542-5520
tel:303-542-5520


___
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org  mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


-- 
Best regards


Sten Carlsen

No improvements come from shouting:

MALE BOVINE MANURE!!!


___
Please visit
https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




-- 
Jim Bucks - IT Director

Colorado Studios http://www.coloradostudios.com, Mobile TV
Group http://www.mobiletvgroup.com, HDNet http://www.hd.net,
AXS.tv http://www.axs.tv/
8269 E. 23rd Ave. Denver, CO 80238 Main 303-388-8500
tel:303-388-8500
jbu

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD Named.

2013-03-28 Thread Jim Glassford 

Hi Jim,

Looking at your config files, believe the keys do not match in 
named.conf and dhcpd.conf but maybe they were adjusted for the posting 
to the list. Alan Clegg's link shows creating the key and adding it to 
the files and also some nsupdate examples.



Would want like the following, only with your key in each file, cut and 
paste that key! :-)


~~~ inside dhcpd.conf this ~

key DHCP_UPDATER {
algorithm HMAC-MD5;
secret ;
};

 ~~~ inside named.conf this ~

key DHCP_UPDATER {
algorithm HMAC-MD5;
secret ;
};


On 3/28/2013 3:05 PM, Jim Bucks wrote:

Hi All (sorry for the top-posting)

Alan - thanks for the link.  I'll be checking it out / looking it over.

Jim,

Based on the nsupdate output (below), it looks like I've hosed up 
something in my key.  I used the key string from the .private key 
file (I've found some search results that say to use the .key and 
others say to use the .private).


Jim

[root@dns04 chroot]# nsupdate -d
 server 127.0.0.1
 key DHCP_UPDATE 
TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
 update add 101.20.10.172.in-addr.arpa. 3600 in ptr 
dhcp.coloradostudios.com http://dhcp.coloradostudios.com.


Reply from SOA query:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 11212
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;101.20.10.172.in-addr.arpa.INSOA

;; AUTHORITY SECTION:
20.10.172.in-addr.arpa.0INSOA dns04.coloradostudios.com 
http://dns04.coloradostudios.com. sysmgr.hd.net 
http://sysmgr.hd.net. 2013032600 10800 3600 604800 86400


Found zone name: 20.10.172.in-addr.arpa
The master is: dns04.coloradostudios.com 
http://dns04.coloradostudios.com

Sending update to 127.0.0.1#53
Outgoing update query:
;; -HEADER- opcode: UPDATE, status: NOERROR, id: 25308
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
101.20.10.172.in-addr.arpa. 3600 INPTR dhcp.coloradostudios.com 
http://dhcp.coloradostudios.com.


;; TSIG PSEUDOSECTION:
dhcp_update.0ANYTSIG hmac-md5.sig-alg.reg.int 
http://hmac-md5.sig-alg.reg.int. 1364496936 300 16 
qUBZdqVmksNQtmb1mb9gNQ== 25308 NOERROR 0


; TSIG error with server: tsig indicates error

Reply from update query:
;; -HEADER- opcode: UPDATE, status: NOTAUTH, id: 25308
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;20.10.172.in-addr.arpa.INSOA

;; TSIG PSEUDOSECTION:
dhcp_update.0ANYTSIG hmac-md5.sig-alg.reg.int 
http://hmac-md5.sig-alg.reg.int. 1364496936 300 0  25308 BADKEY 0


 quit
[root@dns04 chroot]#


On Thu, Mar 28, 2013 at 12:03 PM, Jim Glassford jmgl...@iup.edu 
mailto:jmgl...@iup.edu wrote:


Hi Jim,

No, sorry, wrong IP address, the real IP address of the dns
server, not the client.

zone dhcp.coloradostudios.com http://dhcp.coloradostudios.com. {
   primary your_dns_server_IP_address; - change from 127.0.0.1
   key DHCP_UPDATER;
}

Also do you have a /var/log/named.log file or debug log file for
named, other than messages, might have more information.
Can try nsupdate with debug to see if this gives any clue also.
nsupdate -d
 server your_dns_server_here
 key  your_key_here
 update add 101.20.10.172.in-addr.arpa. 3600 in ptr
dhcp-172-10-20-101.coloradostudios.com
http://dhcp-172-10-20-101.coloradostudios.com.
  do extra CR to get it to go

should see lots of debug information here

 quit

man nsupdate

best!
jim

On 3/28/2013 1:52 PM, Jim Bucks wrote:

No I have not tried that, but .101 is a leased IP address for a
Windows workstation.

I'm willing to try it, but it seems like that would mean I would
need a zone like this for all of my leased addresses???


Jim

On Thu, Mar 28, 2013 at 11:42 AM, Jim Glassford jmgl...@iup.edu
mailto:jmgl...@iup.edu wrote:

Hi Jim,

Lost track but have you tried using the IP address of the
server for the primary, 172.10.20.101 instead of 127.0.0.1?

zone dhcp.coloradostudios.com
http://dhcp.coloradostudios.com. {
   primary 172.10.20.101; - change from 127.0.0.1
   key DHCP_UPDATER;
}


best!
jim


On 3/28/2013 1:31 PM, Jim Bucks wrote:

Hi Sten,

Thanks for the response,  I only dabble in DNS setups every
5 years (or so).  I really thought this would be a no
brainer, and most likely have some simple command / syntax
error causing all of this.

From /var/log/messages

Mar 28 11:22:57 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 28 11:22:57 dns04 dhcpd: Unable to add forward map from
dhcp-172-10-20-101.coloradostudios.com
http://dhcp-172-10-20-101.coloradostudios.com

Re: dhcpd

2012-10-18 Thread Jim Glassford 

Hi,

Running 4.1.1-P1 and we these also from iThings and androids. Tried to 
verify if the ones doing it where jail broke or something else in common 
but never got to the bottom of it. Enabling bootp, they continued to 
ask. We just continue to deny bootp for subnets that have no need for it 
and ignore them. Five doing it so far today out of 4200.


dhcpd: BOOTREQUEST from 14:5a:05:eb:dc:f3 via 144.80.36.19: bootp disallowed

jim

On 10/18/2012 8:42 AM, Dwayne Hottinger wrote:

I recently setup a new dhcp server.  In my logfiles yesterday I noticed
the following message:

  BOOTP from dynamic client and no dynamic leases

I checked the mac addresses of these clients and thus far they are all
ipads, ipods or iphones.  These devices have gotten ip's in the past.
  In my dhcpd.conf file I have:  deny dynamic bootp clients; .  I see
that Im handing out IP's for for the subnets, and my range should be
plenty big.   Has anyone else seen these messages with ipods, ipads or
iphones?   We have quite a few of these devices on the network now and I
want to ensure that they work correctly.   Im running dhcpd version
3.0.5 built from rpm on Centos 6.

--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slaves do not more update

2011-06-22 Thread Jim Glassford 

Hi,

May have already been covered by another but just to verify, beating a 
dead horse


Do you update the serial number before you sign the zone? If automated 
at all with scripts, make sure you update the SOA serial number then sign.


jim

On 6/22/2011 1:42 PM, Michelle Konzack wrote:

Hello Chris Buxton,

Am 2011-06-22 06:26:47, hacktest Du folgendes herunter:

If the mtime of the slave's file changes, then there's something else
wrong. It's refreshing, and resetting the refresh timer, but it's not
seeing an update.


Right and I do not find the error...

If I clear the cache while named is running it sucks all mising  cache
zones from the MASTER if the time come to expire the zone.

If I clear the cache and then go to the  MASTER,  change  one  zone  and
reload it, the SLAVE download immediately the changed zone and  then  it
sucks the rest.

So, it seems, the SLAVE has gotten the zone notification

This error happen, as I already mentioned, since I changed the MASTER to
DNSSEC.

Thanks, Greetings and nice Day/Evening
 Michelle Konzack




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

(fixed) bad cache hit (eduftcdnsp01.ed.gov/DS)

2011-05-28 Thread Jim Glassford 


Thanks to everyone who replied on and off list, my first dnssec 
related problem and no self confidence. :-) They got it fixed 
yesterday evening and working OK again.


have a great weekend!
jim


On Fri, 27 May 2011 15:09:39 -0400
 Jim Glassford jmgl...@iup.edu wrote:

Hi,

Running BIND 9.7.0-P2

Is this just me or other seeing this?

Starting today got reports of unable to reach some student ad sites 
such as studentloans.gov


# dig eduftcdnsp01.ed.gov
;  DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1  
eduftcdnsp01.ed.gov

;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 46012
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;eduftcdnsp01.ed.gov.   IN  A

;; Query time: 550 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 27 15:06:00 2011
;; MSG SIZE  rcvd: 37


~in dnssec log file;
27-May-2011 15:06:00.097 dnssec: info: validating @0x7ff40c023520: 
eduftcdnsp01.ed.gov A: bad cache hit (eduftcdnsp01.ed.gov/DS)



With the checking disabled;

# dig eduftcdnsp01.ed.gov +cd
;  DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1  
eduftcdnsp01.ed.gov +cd

;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 11700
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, 
ADDITIONAL: 0


;; QUESTION SECTION:
;eduftcdnsp01.ed.gov.   IN  A

;; ANSWER SECTION:
eduftcdnsp01.ed.gov.3539IN  A   148.9.101.50

;; AUTHORITY SECTION:
ed.gov. 2777IN  NS  eduptcdnsp01.ed.gov.
ed.gov. 2777IN  NS  eduptcdnsp02.ed.gov.
ed.gov. 2777IN  NS  eduftcdnsp02.ed.gov.
ed.gov. 2777IN  NS  eduftcdnsp01.ed.gov.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 27 15:07:01 2011
;; MSG SIZE  rcvd: 148



thanks!
jim
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

? bad cache hit (eduftcdnsp01.ed.gov/DS)

2011-05-27 Thread Jim Glassford 

Hi,

Running BIND 9.7.0-P2

Is this just me or other seeing this?

Starting today got reports of unable to reach some student ad sites such 
as studentloans.gov


# dig eduftcdnsp01.ed.gov
;  DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1  eduftcdnsp01.ed.gov
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 46012
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;eduftcdnsp01.ed.gov.   IN  A

;; Query time: 550 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 27 15:06:00 2011
;; MSG SIZE  rcvd: 37


~in dnssec log file;
27-May-2011 15:06:00.097 dnssec: info: validating @0x7ff40c023520: 
eduftcdnsp01.ed.gov A: bad cache hit (eduftcdnsp01.ed.gov/DS)



With the checking disabled;

# dig eduftcdnsp01.ed.gov +cd
;  DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1  eduftcdnsp01.ed.gov +cd
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 11700
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;eduftcdnsp01.ed.gov.   IN  A

;; ANSWER SECTION:
eduftcdnsp01.ed.gov.3539IN  A   148.9.101.50

;; AUTHORITY SECTION:
ed.gov. 2777IN  NS  eduptcdnsp01.ed.gov.
ed.gov. 2777IN  NS  eduptcdnsp02.ed.gov.
ed.gov. 2777IN  NS  eduftcdnsp02.ed.gov.
ed.gov. 2777IN  NS  eduftcdnsp01.ed.gov.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 27 15:07:01 2011
;; MSG SIZE  rcvd: 148



thanks!
jim
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users