Weird dig behavior when querying ANY

2013-09-10 Thread Nicholas F Miller
I am at a loss. When doing digs using our name servers for 'ANY' records of a domain we are getting TTLs of five seconds. The TTLs will be correct if we query for the records individually just not when using 'ANY'. Ideas? dig google.com any ; DiG 9.8.3-P1 google.com any ;; global options:

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Matus UHLAR - fantomas
On 10.09.13 08:15, Nicholas F Miller wrote: I am at a loss. When doing digs using our name servers for 'ANY' records of a domain we are getting TTLs of five seconds. The TTLs will be correct if we query for the records individually just not when using 'ANY'. Ideas? BIND simply provides you

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Steven Carr
On 10 September 2013 16:58, Nicholas F Miller nicholas.mil...@colorado.edu wrote: The only thing between us and the world are Junos FWs. The behavior happens if you dig a hosted zone on the master DNS server as well. Is there any configuration on the DNS server which is reducing the TTL

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Nicholas F Miller
There aren't any options set to reduce the TTLs. When you dig using a public DNS server the replies are correct. It is only when using our DNS servers. _ Nicholas Miller, OIT, University of Colorado at Boulder On Sep 10, 2013, at 10:04

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Nicholas F Miller
The only thing between us and the world are Junos FWs. The behavior happens if you dig a hosted zone on the master DNS server as well. _ Nicholas Miller, OIT, University of Colorado at Boulder On Sep 10, 2013, at 9:43 AM, Tony Finch

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Tony Finch
Nicholas F Miller nicholas.mil...@colorado.edu wrote: The problem is the reply will ALWAYS be five seconds when doing an 'ANY' query. It is not a matter of the TTL counting down. Is there a middlebox of some kind between you and the name server? Tony. -- f.anthony.n.finch d...@dotat.at

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Nicholas F Miller
The problem is the reply will ALWAYS be five seconds when doing an 'ANY' query. It is not a matter of the TTL counting down. _ Nicholas Miller, OIT, University of Colorado at Boulder On Sep 10, 2013, at 9:24 AM, Matus UHLAR - fantomas

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Adamiec, Lawrence
I don't get 5 seconds for a reply. ;; ANSWER SECTION: google.com. 219 IN 2607:f8b0:4009:805::1006 google.com. 29 IN A 173.194.46.34 google.com. 29 IN A 173.194.46.35 google.com. 29 IN A

Re: Weird dig behavior when querying ANY

2013-09-10 Thread Phil Mayers
On 10/09/13 17:22, Nicholas F Miller wrote: We have a winner! I disabled RPZ on a test DNS server and the problem went away. We do not have a whitelist zone so the issue must be with RPZ zones in general (or the format of the RPZ zone file). We see the same behaviour, and likewise don't have a