Re: Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2
On 06/10/11 09:50, Per-Olof Axelsson wrote: When I run the following dig command below I sometimes get different answers, generally 20-30 minutes after restarting BIND. It doesn't matter if I run dig from a remote host or locally on the problematic DNS server. The two servers in question run on entirely different hardware and operating systems. One server runs a compiled version of BIND (on Redhat) whilst the other runs an installed package version (SLES11 SP1). The problem can occur on one DNS server whilst the other remains unaffected, and vice-versa. Incorrect replies often come in small groups mixed with correct replies, generally over a period of a few seconds before returning to returning the correct answer. Specifiying localhost (127.0.0.1) as the server however results in the problem never occuring. I turned on debug level 5 in BIND and searched the logs for any errors but didnt find anything. I tried tcpdump but that didn't give anything either. To solve the problem I downgraded BIND to version 9.7.3. The following are the outputs I'm seeing: Correct answer. [root@mayday named]# dig @193.10.166.35 ldap.hb.se ;<<>> DiG 9.8.0-P2<<>> @193.10.166.35 ldap.hb.se ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;ldap.hb.se.IN A ;; ANSWER SECTION: ldap.hb.se. 3600IN CNAME vm-nldap-n1.hb.se. vm-nldap-n1.hb.se. 3600IN A 193.10.166.191 ;; AUTHORITY SECTION: hb.se. 3600IN NS dns2.hb.se. hb.se. 3600IN NS hb-ns.server.hv.se. hb.se. 3600IN NS ns2.chalmers.se. hb.se. 3600IN NS mayday.hb.se. ;; ADDITIONAL SECTION: dns2.hb.se. 3600IN A 193.10.166.35 mayday.hb.se. 3600IN A 193.10.166.34 ;; Query time: 2 msec ;; SERVER: 193.10.166.35#53(193.10.166.35) ;; WHEN: Thu Jun 9 12:49:17 2011 ;; MSG SIZE rcvd: 199 --- Wrong answer. --- [root@mayday named]# dig @193.10.166.35 ldap.hb.se ;<<>> DiG 9.8.0-P2<<>> @193.10.166.35 ldap.hb.se ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61784 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ldap.hb.se.IN A ;; ANSWER SECTION: ldap.hb.se. 3600IN CNAME vm-nldap-n1.hb.se. ;; Query time: 1 msec ;; SERVER: 193.10.166.35#53(193.10.166.35) ;; WHEN: Thu Jun 9 12:49:17 2011 ;; MSG SIZE rcvd: 54 --- Why is ANSWER SECTION, AUTHORITY SECTION and ADDITIONAL SECTION different? Any ideas?? /Per-Olof Axelsson ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users From here, I can not resolve vm-nldap-nl.hb.se with dig 9.7.3 using the +trace option. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2
On 6/10/2011 8:36 AM, Phil Mayers wrote: It was fixed in 9.8.1, or you can apply the patch that the FreeBSD guys have: http://www.freebsd.org/cgi/cvsweb.cgi/ports/dns/bind98/files/patch-bin__named__query.c?rev=1.1 I can't take credit for that, it came from Mark. :) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2
Phil Mayers wrote: > > This might be the problem resolving CNAMEs that was discussed on the list > recently: > > https://lists.isc.org/pipermail/bind-users/2011-May/thread.html#83714 > > "Bind 9.8.0 intermittent problem with non-recursive responses" > > It was fixed in 9.8.1 But note that the currently available beta release of 9.8.1 has an exploitable security vulnerability. Tony. -- f.anthony.n.finchhttp://dotat.at/ Shannon: Westerly backing easterly 3 or 4, increasing 5 to 7, perhaps gale 8 later in south. Moderate or rough. Showers, rain later. Good, becoming moderate. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2
On 10/06/11 15:50, Per-Olof Axelsson wrote: When I run the following dig command below I sometimes get different answers, generally 20-30 minutes after restarting BIND. It doesn't This might be the problem resolving CNAMEs that was discussed on the list recently: https://lists.isc.org/pipermail/bind-users/2011-May/thread.html#83714 "Bind 9.8.0 intermittent problem with non-recursive responses" It was fixed in 9.8.1, or you can apply the patch that the FreeBSD guys have: http://www.freebsd.org/cgi/cvsweb.cgi/ports/dns/bind98/files/patch-bin__named__query.c?rev=1.1 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2
When I run the following dig command below I sometimes get different answers, generally 20-30 minutes after restarting BIND. It doesn't matter if I run dig from a remote host or locally on the problematic DNS server. The two servers in question run on entirely different hardware and operating systems. One server runs a compiled version of BIND (on Redhat) whilst the other runs an installed package version (SLES11 SP1). The problem can occur on one DNS server whilst the other remains unaffected, and vice-versa. Incorrect replies often come in small groups mixed with correct replies, generally over a period of a few seconds before returning to returning the correct answer. Specifiying localhost (127.0.0.1) as the server however results in the problem never occuring. I turned on debug level 5 in BIND and searched the logs for any errors but didnt find anything. I tried tcpdump but that didn't give anything either. To solve the problem I downgraded BIND to version 9.7.3. The following are the outputs I'm seeing: Correct answer. [root@mayday named]# dig @193.10.166.35 ldap.hb.se ; <<>> DiG 9.8.0-P2 <<>> @193.10.166.35 ldap.hb.se ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12728 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;ldap.hb.se.IN A ;; ANSWER SECTION: ldap.hb.se. 3600IN CNAME vm-nldap-n1.hb.se. vm-nldap-n1.hb.se. 3600IN A 193.10.166.191 ;; AUTHORITY SECTION: hb.se. 3600IN NS dns2.hb.se. hb.se. 3600IN NS hb-ns.server.hv.se. hb.se. 3600IN NS ns2.chalmers.se. hb.se. 3600IN NS mayday.hb.se. ;; ADDITIONAL SECTION: dns2.hb.se. 3600IN A 193.10.166.35 mayday.hb.se. 3600IN A 193.10.166.34 ;; Query time: 2 msec ;; SERVER: 193.10.166.35#53(193.10.166.35) ;; WHEN: Thu Jun 9 12:49:17 2011 ;; MSG SIZE rcvd: 199 --- Wrong answer. --- [root@mayday named]# dig @193.10.166.35 ldap.hb.se ; <<>> DiG 9.8.0-P2 <<>> @193.10.166.35 ldap.hb.se ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61784 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ldap.hb.se.IN A ;; ANSWER SECTION: ldap.hb.se. 3600IN CNAME vm-nldap-n1.hb.se. ;; Query time: 1 msec ;; SERVER: 193.10.166.35#53(193.10.166.35) ;; WHEN: Thu Jun 9 12:49:17 2011 ;; MSG SIZE rcvd: 54 --- Why is ANSWER SECTION, AUTHORITY SECTION and ADDITIONAL SECTION different? Any ideas?? /Per-Olof Axelsson ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users