NOAA.GOV domain not working

Good day, I've been having an interesting issue with BIND and wondering if anyone has had this before or knows how to fix it. The issue is, I have 2 recursive/caching DNS servers running BIND 9.9.4-RedHat-9.9.4-51.el7, which are slow to query for this particular domain. Noaa.gov (as well as its

Re: Questions about NAPTR

On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote: > In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer > writes: > > 2: Can the Replacement field be empty? It looks from the text and > > examples as if it should always contain a complete domain name BUT > > that if the Regexp

Re: Questions about NAPTR

In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer writes: > I've been reading RFC2915 and have a couple of questions about NAPTR > records. I'm trying to do *basic* validation of data from a database > being processed into the DNS. > > 1: Can the Flags field be empty? It seems to me

Re: NOAA.GOV domain not working

Hi Ricky, Sounds like if things are timing out at the noaa.gov nameservers, then that's where you need to start looking. Try each nameserver that the .gov nameservers give for noaa.gov and see if all of them are unreachable, if just one's unreachable, if they're traceroute-able, etc. A lot of

RE: NOAA.GOV domain not working

Thank you for your reply, When I notice too many failed queries from this domain name (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc reload), seems to allow queries to work. But still latent (in the 3500ms range) This is what I get from a DIG +trace... the connection

RE: NOAA.GOV domain not working

Thanks Warren, I can query all the noaa.gov name servers without issues, and the replies are fast (sub 100ms) -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: September 18, 2017 12:06 PM To: Levesque, Ricky (SNB) Cc: John Miller

Re: NOAA.GOV domain not working

The noaa.gov name servers also have ipv6 addresses but I don't get a reply from that address. You may want to trace whether your name server is using that address when you see the problem. On 18/09/2017 17:17, Levesque, Ricky (SNB) wrote: > Thanks Warren, > I can query all the noaa.gov name

Re: Automatic Key Management

Mark Elkins wrote: > > On my side, I can 'import' the KSK from the properly signed zone, > Generate the DS record and EPP it up to the Registry. That all works > fine, currently with the push of one (web) button. Will change/add this > to something RESTful. Then, for full

Re: NOAA.GOV domain not working

Hi Ricky, Try running a "dig +trace www.nhc.noaa.gov," then query each record in the chain and see which one's slow to respond. I don't see anything crazy in your named.conf. Something you didn't mention: does clearing cache make a difference? John -- John Miller Systems Engineer Brandeis

Re: NOAA.GOV domain not working

On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB) wrote: > Thank you for your reply, > When I notice too many failed queries from this domain name > (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc > reload), seems to allow queries to work. But

Re: NOAA.GOV domain not working

I actually expect that you problem is your firewall in that it is dropping fragmented UDP responses. The UDP responses for www.nhc.noaa.gov are large. They do not fit in a single ethernet frame. Compare the following two queries. dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237

Re: NOAA.GOV domain not working

In message , John Miller writes: > Hi Ricky, > > Try running a "dig +trace www.nhc.noaa.gov," then query each record in > the chain and see which one's slow to respond. I don't see anything > crazy in your named.conf.

Re: Questions about NAPTR

In message <1505796688.2518.99.ca...@biplane.com.au>, Karl Auer writes: > On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote: > > In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer > > writes: > > > And is it true that "if the Regexp field is not empty, the > > > Replacement field

Re: Questions about NAPTR

On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote: > In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer > writes: > > And is it true that "if the Regexp field is not empty, the > > Replacement field will not be used"? > With the current flags no but who know what will happen in

Re: Questions about NAPTR

In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer writes: > On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote: > > In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer > > writes: > > > 2: Can the Replacement field be empty? It looks from the text and > > > examples

Questions about NAPTR

I've been reading RFC2915 and have a couple of questions about NAPTR records. I'm trying to do *basic* validation of data from a database being processed into the DNS. 1: Can the Flags field be empty? It seems to me that it can be under some circumstances. 2: Can the Replacement field be empty?

Re: NOAA.GOV domain not working

In message <36f8dd297fd5504aa37968ada5ba93eb01178c2...@gnbexmb8pb.gnb.ca>, "Levesque, Ricky (SNB)" writes: > Thanks Warren, > I can query all the noaa.gov name servers without issues, and the replies > are fast (sub 100ms) Remember nameservers ask questions with different options set to DiG's

About use bind to do DNSSEC with no correct RSASHA256 signature

Hi all, We used bind to do the DNSSEC , DYNAMIC ZONES , AND AUTOMATIC SIGNING. But at last week we found that there is just one 'RRSIGNSEC3' record is illegality(No correct RSASHA256 signature) signed by bind. dnssec-verify -o XXX -E pkcs11 XXX.txt.signed Loading zone