Re: dig query
On Mon, Aug 13, 2012 at 10:18 AM, John Williams john.1...@yahoo.com wrote: I've a system with two interfaces; a management and a data interface. My default route is set out to the data interface. doing a dig +tcp someIP.com @some.resolver works fine. If I want a UDP based query, I have to specify -b option and provide IP of the interface otherwise it fails. Why is that? I would imagine the query would travel out the default route of the host. It certainly should. You might try a traceroute to the server and confirm how it goes out. But the problem is probably NOT how it goes out, but how it comes back. '-b' sets the source address of the packets that will appear in the IP header, but does not specify the route it should take. Sounds line the default ADDRESS placed in the outgoing packets night not be what you expect and that the return path might be hitting a firewall that allows TCP established packets. Of course, established does not work or UDP, but by forcing the source, the response is hitting the data interface, where it is permitted. This is largely guesswork, but use of tcpdump and looking at the the counter/logs of any firewall should confirm this or let you move on to other options. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig query
Pamela Rock wrote: The following dig query dig gov +dnssec +noadflag @10.10.10.1 produces the following flags in the header section: ;; flags: qr rd ra ad; Question - what is the relation with the +dnssec and +noadflag options in the query. I would think the query would produce a signed response with no ad bit in the header section. Why does ad show up when I specify +noadflag? AD is set when authentication is successful by the server to whom you are sending the query. The +noadflag says don't set the AD bit in the outbound query (which is the default). AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig query
Tony Finch wrote: On Wed, 6 Jan 2010, Pamela Rock wrote: Does that imply that +adflag sets the ad bit on the query and the response where +dnssec only sets the ad bit on the responce? The AD flag is meaningless in a query. In a response it tells you whether the server is authoritative or not. It has nothing to do with DNSSEC. Actually, BIND implements something a bit different.. If a query is sent with the AD bit set, the the flag is NOT reset if the upstream server succeeds in validating the data, even if the DO bit is not set. If the data is not authenticated, the AD bit is reset in the response. This allows one to send a query to a BIND server that proves data to be validated (set AD on query, watch for AD on response) without having all of the DNSSEC related data (signatures, etc) in the response packet. AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig query
On Wed, 6 Jan 2010, Michael Sinatra wrote: I tried this out and I noticed that both BIND and unbound appear to behave the same way when using dig in this manner. So both of the major validating implementations support it. I don't see specific reference to using the AD flag in queries in the RFCs (at least on a cursory glance), but it's a very useful feature. See bottom of 4.7 in http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-bis-updates-09 about using AD in query. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig query
I don't see specific reference to using the AD flag in queries in the RFCs (at least on a cursory glance), but it's a very useful feature. We're kind of flying under the RFC's radar, as I understand it. The RFC says the server must ignore the AD flag in a query. What we do, though, is clear the AD flag when answering if the signatures don't validate, but *leave it alone* if they do. So if you did happen to set the AD flag, and the answer validated, then it would still be set when you got your response. I don't know of any RFC that expressly describes this usage (though I may have missed one), but in any case it's not forbidden, and it's useful, so... -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users