question on query process
Hello, I have a question about the query process of local dns cache to remote servers. When my local dns cache want to find the A record for a domain name, for example, www.example.com If the A record doesn't exist in its cache, but example.com's NS records are there. Thus the dns cache will query to example.com's ns servers directly, is it? If the domain's NS records are not there, how will dns cache handle the case? Thanks Regards, Ken ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding Total QPS from named stats
Jinmei - Thank you. As a follow up question, the stats queries resulted in successful answer - does this counter only cover queries that were answered with DNS data? how about DNS queries that where the responded with SERVFAIL, NXDOMAIN, timed-out due to delegation, dropped, or non-successful answers - should those be included to the Total QPS as well? 4692675534 queries resulted in successful answer queries are a subset of requests only for messages with opcode = query. These are probably what you want to look at in this context. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.7.1b1 is now available
BIND 9.7.1b1 is now available. BIND 9.7.1b1 is a beta version of the maintenance release for BIND 9.7. The managed-keys-directory option is known to be broken and a patch (namedconf.c.patch) is available. BIND 9.7.1b1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.7.1b1/bind-9.7.1b1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.7.1b1/bind-9.7.1b1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/bind-9.7.1b1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/bind-9.7.1b1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.7.1b1/BIND9.7.1b1.zip ftp://ftp.isc.org/isc/bind9/9.7.1b1/BIND9.7.1b1.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.7.1b1/BIND9.7.1b1.zip.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/BIND9.7.1b1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/BIND9.7.1b1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/BIND9.7.1b1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/BIND9.7.1b1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/BIND9.7.1b1.debug.zip.sha512.asc namedconf.c.patch: ftp://ftp.isc.org/isc/bind9/9.7.1b1/namedconf.c.patch ftp://ftp.isc.org/isc/bind9/9.7.1b1/namedconf.c.patch.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/namedconf.c.patch.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.1b1/namedconf.c.patch.sha512.asc Changes since 9.7.0. --- 9.7.1b1 released --- 2902. [func] Add regression test for change 2897. [RT #21040] 2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316] 2900. [bug] The placeholder negative caching element was not properly constructed triggering a INSIST in dns_ncache_towire(). [RT #21346] 2899. [port] win32: Support linking against OpenSSL 1.0.0. 2898. [bug] nslookup leaked memory when -domain=value was specified. [RT #21301] 2897. [bug] NSEC3 chains could be left behind when transitioning to insecure. [RT #21040] 2896. [bug] rndc sign failed to properly update the zone when adding a DNSKEY for publication only. [RT #21045] 2895. [func] genrandom: add support for the generation of multiple files. [RT #20917] 2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294] 2893. [bug] Improve managed keys support. New named.conf option managed-keys-directory. [RT #20924] 2892. [bug] Handle REVOKED keys better. [RT #20961] 2891. [maint] Update empty-zones list to match draft-ietf-dnsop-default-local-zones-13. [RT# 21099] 2890. [bug] Handle the introduction of new trusted-keys and DS, DLV RRsets better. [RT #21097] 2889. [bug] Elements of the grammar where not properly reported. [RT #21046] 2888. [bug] Only the first EDNS option was displayed. [RT #21273] 2887. [bug] Report the keytag times in UTC in the .key file, local time is presented as a comment within the comment. [RT #21223] 2886. [bug] ctime() is not thread safe. [RT #21223] 2885. [bug] Improve -fno-strict-aliasing support probing in configure. [RT #21080] 2884. [bug] Insufficient valadation in dns_name_getlabelsequence(). [RT #21283] 2883. [bug] 'dig +short' failed to handle really large datasets. [RT #21113] 2882. [bug] Remove memory context from list of active contexts before clearing 'magic'. [RT #21274] 2881. [bug] Reduce the amount of time the rbtdb write lock is held when closing a version. [RT #21198] 2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke consistent. [RT #21078] 2879. [contrib] DLZ bdbhpt driver fails to close correct cursor. [RT #21106] 2878. [func] Incrementally write the master file after performing a AXFR. [RT #21010] 2877. [bug] The validator failed to skip obviously mismatching RRSIGs. [RT #21138] 2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131] 2875. [bug]
Re: question on query process
Date: Tue, 25 May 2010 16:20:05 +0800 (CST) From: Tech W. tech...@yahoo.com.cn Sender: bind-users-bounces+oberman=es@lists.isc.org Hello, I have a question about the query process of local dns cache to remote servers. When my local dns cache want to find the A record for a domain name, for example, www.example.com If the A record doesn't exist in its cache, but example.com's NS records are there. Thus the dns cache will query to example.com's ns servers directly, is it? If the domain's NS records are not there, how will dns cache handle the case? I assume you mean that you have a caching-only server, though this is not entirely clear. If you have an NS record cached for any part of www.example.com, you will use that. If not, you will walk the DNS tree from the root. You will first send the query to the root server you are using. (BIND picks a preferred root server based on the responses it receives when starting up.) Root will return the nameservers for com. It will them pick one of the returned answers and send the query to that server. It will then return the NS records for example. Finally, you send th query to one of those servers and should receive an authoritative response for www.example.com which will be cached for future use for the time specified in the record's TTL. If the server already has a record for com, it will start there. If it already has NS records for example.com, it will start there. Obviously, there should not be many queries to the root. I'll leave why there are as an exercise for network researchers and those who write really stupid, often broken software, that uses DNS. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
noob; looks like a caching issue?
my setup: linux/redhat name servers bind-9.3.6-4.P1.el5_4.2 beginning yesterday i'm seeing something i haven't seen before. if i do this (for example): # dig weather.gov +short ;; connection timed out; no servers could be reached and then immediately do this: # dig weather.gov +short 140.90.113.200 the first line takes a while to fail. i do an up arrow and return, and the second command responds instantly. MOST THINGS ARE WORKING FINE. i've only found two addresses w/ this fail-then-work problem. the other is rs.dns-oarc.net i'm being told this is a problem with their name servers; in the specific case of dns-oarc.net i find that particularly hard to believe. once it works it will continue to work if i keep doing the command rapidly. if i let it sit for a while, then i can get the failure again. that's probably my cache doing the right thing. what i can't figure out is this fail-then-work behavior. oh, i've checked the logs. there's zillions of messages about notifies and transfers. once i clean those out, i don't see anything interesting at all. now i'm also getting this: (the first response doesn't have answers, the second does. but i'm NOT getting no servers) # dig weather.gov ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 weather.gov ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 35953 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;weather.gov. IN A ;; Query time: 834 msec ;; SERVER: 146.6.211.1#53(146.6.211.1) ;; WHEN: Tue May 25 14:28:03 2010 ;; MSG SIZE rcvd: 29 # dig weather.gov ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 weather.gov ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18861 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;weather.gov. IN A ;; ANSWER SECTION: weather.gov.490 IN A 140.90.113.200 ;; AUTHORITY SECTION: weather.gov.33577 IN NS ns-mw.noaa.gov. weather.gov.33577 IN NS ns-nw.noaa.gov. weather.gov.33577 IN NS ns-e.noaa.gov. ;; ADDITIONAL SECTION: ns-e.noaa.gov. 74082 IN A 140.90.33.237 ns-nw.noaa.gov. 74082 IN A 161.55.32.2 ns-mw.noaa.gov. 74082 IN A 140.172.17.237 ;; Query time: 7 msec ;; SERVER: 216.136.95.2#53(216.136.95.2) ;; WHEN: Tue May 25 14:28:17 2010 ;; MSG SIZE rcvd: 157 i'm relatively new at named/bind. can someone shed some light on this? j. -- Jay Scott 512-835-3553g...@arlut.utexas.edu Head of Sun Support, Sr. Operating Systems Specialist Applied Research Labs, Computer Science Div. S224 University of Texas at Austin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[ghi...@hicks-net.net: Re: noob; looks like a caching issue?]--solved
okay, just got the answer -- problem with the firewall. our firewall was doing a stateful inspection of dns packets, and botching it somehow. (i didn't hear the details.) the inspection was turned off, and now, the problem i talked about here AND another problem i was having both got fixed. lucky me. (FWIW i did try this w/ a somewhat later version of bind on solaris, didn't help.) thanks for trying to help. j. - Forwarded message from Gregory Hicks ghi...@hicks-net.net - Date: Tue, 25 May 2010 13:10:10 -0700 (PDT) From: Gregory Hicks ghi...@hicks-net.net To: g...@arlut.utexas.edu Cc: ghi...@hicks-net.net Subject: Re: noob; looks like a caching issue? X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.5.7 SunOS 5.9 sun4u sparc Date: Tue, 25 May 2010 14:45:37 -0500 From: Jay G. Scott g...@arlut.utexas.edu To: bind-users@lists.isc.org Subject: noob; looks like a caching issue? my setup: linux/redhat name servers bind-9.3.6-4.P1.el5_4.2 Jay: I'd advise upgrading to a later version of bind and dig if you can. I've got BIND 9.6.1-P1 w/dig 9.6.1-P1 running. The query dig weather.gov worked for me the first time. (IOW, no errors...) As for your query as to WHY your first query failed but, when followed by another query, that second query succeeded, it could be that the response back to BIND took longer than BIND expected so BIND issued the SERVFAIL to you. However, in the background, the expected response WAS received and cached. Then when you queried again, BIND provided the cached response. Regards, Gregory Hicks beginning yesterday i'm seeing something i haven't seen before. if i do this (for example): # dig weather.gov +short ;; connection timed out; no servers could be reached and then immediately do this: # dig weather.gov +short 140.90.113.200 the first line takes a while to fail. i do an up arrow and return, and the second command responds instantly. MOST THINGS ARE WORKING FINE. i've only found two addresses w/ this fail-then-work problem. the other is rs.dns-oarc.net i'm being told this is a problem with their name servers; in the specific case of dns-oarc.net i find that particularly hard to believe. once it works it will continue to work if i keep doing the command rapidly. if i let it sit for a while, then i can get the failure again. that's probably my cache doing the right thing. what i can't figure out is this fail-then-work behavior. oh, i've checked the logs. there's zillions of messages about notifies and transfers. once i clean those out, i don't see anything interesting at all. now i'm also getting this: (the first response doesn't have answers, the second does. but i'm NOT getting no servers) # dig weather.gov ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 weather.gov ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 35953 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;weather.gov. IN A ;; Query time: 834 msec ;; SERVER: 146.6.211.1#53(146.6.211.1) ;; WHEN: Tue May 25 14:28:03 2010 ;; MSG SIZE rcvd: 29 # dig weather.gov ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 weather.gov ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18861 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;weather.gov. IN A ;; ANSWER SECTION: weather.gov.490 IN A 140.90.113.200 ;; AUTHORITY SECTION: weather.gov.33577 IN NS ns-mw.noaa.gov. weather.gov.33577 IN NS ns-nw.noaa.gov. weather.gov.33577 IN NS ns-e.noaa.gov. ;; ADDITIONAL SECTION: ns-e.noaa.gov. 74082 IN A 140.90.33.237 ns-nw.noaa.gov. 74082 IN A 161.55.32.2 ns-mw.noaa.gov. 74082 IN A 140.172.17.237 ;; Query time: 7 msec ;; SERVER: 216.136.95.2#53(216.136.95.2) ;; WHEN: Tue May 25 14:28:17 2010 ;; MSG SIZE rcvd: 157 i'm relatively new at named/bind. can someone shed some light on this? j. -- Jay Scott 512-835-3553g...@arlut.utexas.edu Head of Sun Support, Sr. Operating Systems Specialist Applied Research Labs, Computer Science Div. S224 University of Texas at Austin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is
Another Question about SERVFAIL
One of our networking personnel is trying to access ftp.cisco.com and is unable to do so from Argonne. He has no problem from home, (Comcast). The Comcast DNS servers are 68.87.72.134 68.87.77.134 and report that they are running Nominum Vantio 4.2.1.0 (about which I know very little). My DNS servers are running BIND 9.7.0-P1. I did some DNS queries here and I have made comments after each DNS query. Are my comments and suppositions correct? === dnsserver% dig ftp.cisco.com ; DiG 9.7.0-P1 ftp.cisco.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 61726 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; Query time: 177 msec ;; SERVER: 146.139.254.5#53(146.139.254.5) ;; WHEN: Tue May 18 11:01:45 2010 ;; MSG SIZE rcvd: 31 dnsserver% Note the SERVFAIL response. BIND detects that something is wrong. === dnsserver% dig cisco.com ns ; DiG 9.7.0-P1 cisco.com ns ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52864 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;cisco.com. IN NS ;; ANSWER SECTION: cisco.com. 38065 IN NS ns1.cisco.com. cisco.com. 38065 IN NS ns2.cisco.com. ;; ADDITIONAL SECTION: ns1.cisco.com. 2668IN A 128.107.241.185 ns2.cisco.com. 2831IN A 64.102.255.44 ;; Query time: 1 msec ;; SERVER: 146.139.254.5#53(146.139.254.5) ;; WHEN: Tue May 18 14:08:01 2010 ;; MSG SIZE rcvd: 95 dnsserver% There are two authoritative name servers for cisco.com . === dnsserver% dig ftp.cisco.com @ns1.cisco.com. ; DiG 9.7.0-P1 ftp.cisco.com @ns1.cisco.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 33283 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; AUTHORITY SECTION: ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com. ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com. ;; ADDITIONAL SECTION: rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39 sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86 ;; Query time: 60 msec ;; SERVER: 128.107.241.185#53(128.107.241.185) ;; WHEN: Tue May 18 14:08:21 2010 ;; MSG SIZE rcvd: 133 dnsserver% This response (from one of the two name servers) has problems. 1) There is an answer, but without the aa (authoritative answer) flag, the response appears to be coming from the cache. 2) The authority section lists the two nameservers that are authoritative for the zone ftp.cisco.com. 3) I am not a DNS expert, but with ra (recursion available) and rd (recursion desired) both set, I would expect my query to recurse to a name server that will return an authoritative answer. Or, since I sent the request to a specific name server, that server would return no answers but a referral to the authoritative name servers. === dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com. ; DiG 9.7.0-P1 ftp.cisco.com @rtp5-ddir-ns.cisco.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 13745 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; Query time: 288 msec ;; SERVER: 64.102.255.39#53(64.102.255.39) ;; WHEN: Tue May 18 14:08:46 2010 ;; MSG SIZE rcvd: 47 dnsserver% dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com. ; DiG 9.7.0-P1 ftp.cisco.com @sjce-ddir-ns.cisco.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3781 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; Query time: 219 msec ;; SERVER: 128.107.240.86#53(128.107.240.86) ;; WHEN: Tue May 18 14:09:12 2010 ;; MSG SIZE rcvd: 47 dnsserver% Here I queried both supposedly authoritative name servers, and from each I get a non-authoritative answer. When I did the same query yesterday afternoon, neither of these two name servers was accessible. I assume that with BIND 9.7.0-P1, if the response is not authoritative, then BIND will not trust the answer. ===
Re: Another Question about SERVFAIL
Cool, it looks like Cisco's Distributed Directors for ftp.cisco.com are misconfigured as open recursors: % dig www.sun.com @sjce-ddir-ns.cisco.com ; DiG 9.3.0 www.sun.com @sjce-ddir-ns.cisco.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1471 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.sun.com. IN A ;; ANSWER SECTION: www.sun.com.300 IN A 137.254.16.57 ;; Query time: 98 msec ;; SERVER: 128.107.240.86#53(sjce-ddir-ns.cisco.com) ;; WHEN: Tue May 25 18:03:49 2010 ;; MSG SIZE rcvd: 45 % Way to go, Cisco... (Sorry if I sound sarcastic, we've been working with Cisco on some deficiencies in the DNS implementation on their GSS products, and I'm getting tired of their internal bureaucracy). - Kevin On 5/25/2010 4:24 PM, b19...@anl.gov wrote: One of our networking personnel is trying to access ftp.cisco.com and is unable to do so from Argonne. He has no problem from home, (Comcast). The Comcast DNS servers are 68.87.72.134 68.87.77.134 and report that they are running Nominum Vantio 4.2.1.0 (about which I know very little). My DNS servers are running BIND 9.7.0-P1. I did some DNS queries here and I have made comments after each DNS query. Are my comments and suppositions correct? === dnsserver% dig ftp.cisco.com ; DiG 9.7.0-P1 ftp.cisco.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 61726 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; Query time: 177 msec ;; SERVER: 146.139.254.5#53(146.139.254.5) ;; WHEN: Tue May 18 11:01:45 2010 ;; MSG SIZE rcvd: 31 dnsserver% Note the SERVFAIL response. BIND detects that something is wrong. === dnsserver% dig cisco.com ns ; DiG 9.7.0-P1 cisco.com ns ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52864 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;cisco.com. IN NS ;; ANSWER SECTION: cisco.com. 38065 IN NS ns1.cisco.com. cisco.com. 38065 IN NS ns2.cisco.com. ;; ADDITIONAL SECTION: ns1.cisco.com. 2668IN A 128.107.241.185 ns2.cisco.com. 2831IN A 64.102.255.44 ;; Query time: 1 msec ;; SERVER: 146.139.254.5#53(146.139.254.5) ;; WHEN: Tue May 18 14:08:01 2010 ;; MSG SIZE rcvd: 95 dnsserver% There are two authoritative name servers for cisco.com . === dnsserver% dig ftp.cisco.com @ns1.cisco.com. ; DiG 9.7.0-P1 ftp.cisco.com @ns1.cisco.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 33283 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; AUTHORITY SECTION: ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com. ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com. ;; ADDITIONAL SECTION: rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39 sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86 ;; Query time: 60 msec ;; SERVER: 128.107.241.185#53(128.107.241.185) ;; WHEN: Tue May 18 14:08:21 2010 ;; MSG SIZE rcvd: 133 dnsserver% This response (from one of the two name servers) has problems. 1) There is an answer, but without the aa (authoritative answer) flag, the response appears to be coming from the cache. 2) The authority section lists the two nameservers that are authoritative for the zone ftp.cisco.com. 3) I am not a DNS expert, but with ra (recursion available) and rd (recursion desired) both set, I would expect my query to recurse to a name server that will return an authoritative answer. Or, since I sent the request to a specific name server, that server would return no answers but a referral to the authoritative name servers. === dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com. ; DiG 9.7.0-P1 ftp.cisco.com @rtp5-ddir-ns.cisco.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 13745 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; Query time: 288 msec ;; SERVER:
Re: Another Question about SERVFAIL
In message 20100525202455.06f0b40...@britaine.cis.anl.gov, b19...@anl.gov wri tes: One of our networking personnel is trying to access ftp.cisco.com and is unable to do so from Argonne. He has no problem from home, (Comcast). The Comcast DNS servers are 68.87.72.134 68.87.77.134 and report that they are running Nominum Vantio 4.2.1.0 (about which I know very little). My DNS servers are running BIND 9.7.0-P1. I did some DNS queries here and I have made comments after each DNS query. Are my comments and suppositions correct? === dnsserver% dig ftp.cisco.com ; DiG 9.7.0-P1 ftp.cisco.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 61726 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; Query time: 177 msec ;; SERVER: 146.139.254.5#53(146.139.254.5) ;; WHEN: Tue May 18 11:01:45 2010 ;; MSG SIZE rcvd: 31 dnsserver% Note the SERVFAIL response. BIND detects that something is wrong. === dnsserver% dig cisco.com ns ; DiG 9.7.0-P1 cisco.com ns ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52864 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;cisco.com. IN NS ;; ANSWER SECTION: cisco.com. 38065 IN NS ns1.cisco.com. cisco.com. 38065 IN NS ns2.cisco.com. ;; ADDITIONAL SECTION: ns1.cisco.com. 2668IN A 128.107.241.185 ns2.cisco.com. 2831IN A 64.102.255.44 ;; Query time: 1 msec ;; SERVER: 146.139.254.5#53(146.139.254.5) ;; WHEN: Tue May 18 14:08:01 2010 ;; MSG SIZE rcvd: 95 dnsserver% There are two authoritative name servers for cisco.com . === dnsserver% dig ftp.cisco.com @ns1.cisco.com. ; DiG 9.7.0-P1 ftp.cisco.com @ns1.cisco.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 33283 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; AUTHORITY SECTION: ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com. ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com. ;; ADDITIONAL SECTION: rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39 sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86 ;; Query time: 60 msec ;; SERVER: 128.107.241.185#53(128.107.241.185) ;; WHEN: Tue May 18 14:08:21 2010 ;; MSG SIZE rcvd: 133 dnsserver% If you make a norecusive query you will get the referral. ; DiG 9.3.6-P1 ftp.cisco.com @ns1.cisco.com +norec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 25199 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; AUTHORITY SECTION: ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com. ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com. ;; ADDITIONAL SECTION: rtp5-ddir-ns.cisco.com. 86400 IN A 64.102.255.39 sjce-ddir-ns.cisco.com. 86400 IN A 128.107.240.86 ;; Query time: 347 msec ;; SERVER: 128.107.241.185#53(128.107.241.185) ;; WHEN: Wed May 26 08:30:20 2010 ;; MSG SIZE rcvd: 117 The actual cause of the SERVFAIL is further down where the load balancer does not set AA on the response. Note it also set RD despite RD not being set on the query. ; DiG 9.3.6-P1 ftp.cisco.com @sjce-ddir-ns.cisco.com +norec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 45540 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; Query time: 181 msec ;; SERVER: 128.107.240.86#53(128.107.240.86) ;; WHEN: Wed May 26 08:31:39 2010 ;; MSG SIZE rcvd: 47 Also queries end up in self referrals. ; DiG 9.3.6-P1 ftp.cisco.com @sjce-ddir-ns.cisco.com +norec ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 46026 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ftp.cisco.com. IN ;; AUTHORITY SECTION: ftp.cisco.com. 86400 IN NS sjce-ddir-ns.cisco.com. ftp.cisco.com. 86400 IN NS rtp5-ddir-ns.cisco.com. ;; ADDITIONAL SECTION: rtp5-ddir-ns.cisco.com. 86400 IN
Re: Another Question about SERVFAIL
I tried these myself, and I am still scratching my head on the results. First, I tried to look for just ftp.cisco.com's A record, and I got back the answer 198.133.219.241. $ dig @4.2.2.2 ftp.cisco.com. a ; DiG 9.4.3-P3 @4.2.2.2 ftp.cisco.com. a ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 60411 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;ftp.cisco.com. IN A ;; ANSWER SECTION: ftp.cisco.com. 60 IN A 198.133.219.241 ;; AUTHORITY SECTION: ftp.cisco.com. 85449 IN NS rtp5-ddir-ns.cisco.com. ftp.cisco.com. 85449 IN NS sjce-ddir-ns.cisco.com. ;; ADDITIONAL SECTION: sjce-ddir-ns.cisco.com. 85501 IN A 128.107.240.86 ;; Query time: 184 msec ;; SERVER: 4.2.2.2#53(4.2.2.2) ;; WHEN: Tue May 25 15:48:43 2010 ;; MSG SIZE rcvd: 117 ... BUT, if I tried to look for any record, I get a very different answer: $ dig @4.2.2.2 ftp.cisco.com. any ; DiG 9.4.3-P3 @4.2.2.2 ftp.cisco.com. any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53036 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Messages has 2 extra bytes at end ;; QUESTION SECTION: ;ftp.cisco.com. IN ANY ;; ANSWER SECTION: ftp.cisco.com. 50 IN A 169.254.1.1 ;; Query time: 640 msec ;; SERVER: 4.2.2.2#53(4.2.2.2) ;; WHEN: Tue May 25 15:45:58 2010 ;; MSG SIZE rcvd: 49 Any thoughts on why? I do notice the warning message that the message has 2 extra bytes at the end, perhaps it's a malformed response for the 'any' RR query? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
synchronization between maste and slave no working
Hi, all I tried to add one A record on the master, but the slave did not get the new record. my slave settting is : zone mydomain.com.cn IN { type slave; file mydomain.com.cn.zone; masters {10.69.3.1;}; }; 10.69.3.1 is my master ip. bind version is bind-9.3.6-4.P1.el5_4.2. I guess I may lack some settings. Can anyone give me some advise? Many thanks hywl51 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: synchronization between maste and slave no working
Yunfeng Xu wrote: Hi, all I tried to add one A record on the master, but the slave did not get the new record. my slave settting is : zone mydomain.com.cn http://mydomain.com.cn IN { type slave; file mydomain.com.cn.zone; masters {10.69.3.1;}; }; 10.69.3.1 is my master ip. bind version is bind-9.3.6-4.P1.el5_4.2. I guess I may lack some settings. Can anyone give me some advise? Many thanks hywl51 What is shown in the server's logs? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: synchronization between maste and slave no working
On May 25, 2010, at 9:57 PM, Yunfeng Xu wrote: Hi, all I tried to add one A record on the master, but the slave did not get the new record. my slave settting is : zone mydomain.com.cn IN { type slave; file mydomain.com.cn.zone; masters {10.69.3.1;}; }; 10.69.3.1 is my master ip. bind version is bind-9.3.6-4.P1.el5_4.2. I guess I may lack some settings. Can anyone give me some advise? Has this worked in the past? Did you remember to increment the serial number on the master? Does the master allow transfers from the slave? does: dig axfr mydomain.com.cn @10.69.3.1 work? W Many thanks hywl51 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Opinions about zone configuration
We have some people at my site who like a zone configured on our internal DNS server named .apple.com. The zone information would not be replicated to our external server but I suggested this is not a good idea basically because the domain name of apple.com and if for some reason this zone information did replicate to our external server it would create some problems. The reason for using this zone is they want to be able to update MAC's but when they are connected to our site they would use .apple.com and when they are not connected they would use apple.com. If anyone else has an opinion about this I would like to hear it. Thanks in advance. Gary Gary Gladney Network Mgr Space Telescope Science Institute Email: glad...@stsci.edu Voice: 410.338.4912 Public Key: ldap://certserver.pgp.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Opinions about zone configuration
From: Gary Gladney glad...@stsci.edu Date: Tue, 25 May 2010 22:30:15 -0400 (EDT) Sender: bind-users-bounces+oberman=es@lists.isc.org We have some people at my site who like a zone configured on our internal DNS server named .apple.com. The zone information would not be replicated to our external server but I suggested this is not a good idea basically because the domain name of apple.com and if for some reason this zone information did replicate to our external server it would create some problems. The reason for using this zone is they want to be able to update MAC's but when they are connected to our site they would use .apple.com and when they are not connected they would use apple.com. If anyone else has an opinion about this I would like to hear it. First, it should not ever be seen externally unless you do something really dumb. But I have done things that were really dumb and you probably have, too. So, it gets on the external server. Who, outside of your organization would be sending a query for some domain inside of apple.com to your server? Let alone a single domain like ? Seems like a pretty long shot. So, make a dumb mistake and have some system somewhere manage to have your server listed as a forwarder. Yes, I suppose something could actually cause a problem, but I think I'll put the concern just under getting struck by a meteorite in the way to work tomorrow. Now, Mark can explain what I overlooked and why this really IS a bad idea. Or, maybe I got it right. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users