Good day,
I've been having an interesting issue with BIND and wondering if anyone has had
this before or knows how to fix it.
The issue is,
I have 2 recursive/caching DNS servers running BIND 9.9.4-RedHat-9.9.4-51.el7,
which are slow to query for this particular domain.
Noaa.gov (as well as its
On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote:
> In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer
> writes:
> > 2: Can the Replacement field be empty? It looks from the text and
> > examples as if it should always contain a complete domain name BUT
> > that if the Regexp
In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer writes:
> I've been reading RFC2915 and have a couple of questions about NAPTR
> records. I'm trying to do *basic* validation of data from a database
> being processed into the DNS.
>
> 1: Can the Flags field be empty? It seems to me
Hi Ricky,
Sounds like if things are timing out at the noaa.gov nameservers, then
that's where you need to start looking. Try each nameserver that the
.gov nameservers give for noaa.gov and see if all of them are
unreachable, if just one's unreachable, if they're traceroute-able,
etc. A lot of
Thank you for your reply,
When I notice too many failed queries from this domain name (www.nhc.noaa.gov)
restarting the service or clearing the cache (rndc reload), seems to allow
queries to work. But still latent (in the 3500ms range)
This is what I get from a DIG +trace... the connection
Thanks Warren,
I can query all the noaa.gov name servers without issues, and the replies are
fast (sub 100ms)
-Original Message-
From: Warren Kumari [mailto:war...@kumari.net]
Sent: September 18, 2017 12:06 PM
To: Levesque, Ricky (SNB)
Cc: John Miller
The noaa.gov name servers also have ipv6 addresses but I don't get a
reply from that address.
You may want to trace whether your name server is using that address
when you see the problem.
On 18/09/2017 17:17, Levesque, Ricky (SNB) wrote:
> Thanks Warren,
> I can query all the noaa.gov name
Mark Elkins wrote:
>
> On my side, I can 'import' the KSK from the properly signed zone,
> Generate the DS record and EPP it up to the Registry. That all works
> fine, currently with the push of one (web) button. Will change/add this
> to something RESTful. Then, for full
Hi Ricky,
Try running a "dig +trace www.nhc.noaa.gov," then query each record in
the chain and see which one's slow to respond. I don't see anything
crazy in your named.conf. Something you didn't mention: does clearing
cache make a difference?
John
--
John Miller
Systems Engineer
Brandeis
On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB)
wrote:
> Thank you for your reply,
> When I notice too many failed queries from this domain name
> (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc
> reload), seems to allow queries to work. But
I actually expect that you problem is your firewall in that it is
dropping fragmented UDP responses. The UDP responses for
www.nhc.noaa.gov are large. They do not fit in a single ethernet
frame.
Compare the following two queries.
dig www.nhc.noaa.gov +dnssec +norec @140.90.33.237
In message
, John
Miller writes:
> Hi Ricky,
>
> Try running a "dig +trace www.nhc.noaa.gov," then query each record in
> the chain and see which one's slow to respond. I don't see anything
> crazy in your named.conf.
In message <1505796688.2518.99.ca...@biplane.com.au>, Karl Auer writes:
> On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote:
> > In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer
> > writes:
> > > And is it true that "if the Regexp field is not empty, the
> > > Replacement field
On Tue, 2017-09-19 at 13:56 +1000, Mark Andrews wrote:
> In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer
> writes:
> > And is it true that "if the Regexp field is not empty, the
> > Replacement field will not be used"?
> With the current flags no but who know what will happen in
In message <1505734269.2518.70.ca...@biplane.com.au>, Karl Auer writes:
> On Mon, 2017-09-18 at 19:45 +1000, Mark Andrews wrote:
> > In message <1505723565.2518.54.ca...@biplane.com.au>, Karl Auer
> > writes:
> > > 2: Can the Replacement field be empty? It looks from the text and
> > > examples
I've been reading RFC2915 and have a couple of questions about NAPTR
records. I'm trying to do *basic* validation of data from a database
being processed into the DNS.
1: Can the Flags field be empty? It seems to me that it can be under
some circumstances.
2: Can the Replacement field be empty?
In message <36f8dd297fd5504aa37968ada5ba93eb01178c2...@gnbexmb8pb.gnb.ca>,
"Levesque, Ricky (SNB)" writes:
> Thanks Warren,
> I can query all the noaa.gov name servers without issues, and the replies
> are fast (sub 100ms)
Remember nameservers ask questions with different options set to
DiG's
Hi all,
We used bind to do the DNSSEC , DYNAMIC ZONES , AND AUTOMATIC SIGNING.
But at last week we found that there is just one 'RRSIGNSEC3' record is
illegality(No correct RSASHA256 signature) signed by bind.
dnssec-verify -o XXX -E pkcs11 XXX.txt.signed
Loading zone
18 matches
Mail list logo