Re: intermittent SERVFAIL for high visible domains such as *.google.com

On Mon, 2018-01-22 at 16:10 +, Tony Finch wrote: > > You should make sure it is enabled, because there are vital clues in > those > log lines :-) But they will only occur if there is some lameness with the ns[1- 4].google.com records and that will already be reported with lame:n in the

Re: 9.11 can't validate sss.gov

On 01/22/2018 09:21 AM, Warren Kumari wrote: http://www.sss.gov works OK, but http://sss.gov always seems to return "The requested service is temporarily unavailable. It is either overloaded or under maintenance. Please try later.". Inconsistency between related things is annoying. I guess

Re: 9.11 can't validate sss.gov

Unrelated to the DNS bit, but still silly / annoying: http://www.sss.gov works OK, but http://sss.gov always seems to return "The requested service is temporarily unavailable. It is either overloaded or under maintenance. Please try later.". There is a fair bit os disagreement over if a bare

Re: one domain not resolving via response-policy zone

Hey Kai, > If I do a nslookup for one of the otto.de domains I reveive "** server > can't find somehost.ov.otto.de: SERVFAIL" The guideline behind the response-policy is that only an actual response gets rewritten. This is usually an answer from a recursive lookup. If you don't get an answer,

Re: intermittent SERVFAIL for high visible domains such as *.google.com

Brian J. Murrell wrote: > > Yeah. Must be disabled by default on EL7 I would guess, just because > it's so noisy. You should make sure it is enabled, because there are vital clues in those log lines :-) Other categories you should check are `edns-disabled` (which I

Re: 9.11 can't validate sss.gov

I've informed the selective service (sss.gov) of the issue.  They have supposedly passed it on to their "web support group".  We will see if anything happens but I'm not holding my breath.  At least a government agency should have more influence to get qwest to fix their servers than I do.

Re: intermittent SERVFAIL for high visible domains such as *.google.com

On Mon, 2018-01-22 at 12:04 +, Tony Finch wrote: > > The thing to look out for is the minutes before the outage starts - > see > what kind of failures you get. So, taking this approach, looking for the first occurrence of just any one of the names ns[1-4].google.com prior to the A/

Re: intermittent SERVFAIL for high visible domains such as *.google.com

On Mon, 2018-01-22 at 12:45 +, Tony Finch wrote: > > They'll have a log category of edns-disabled. But if the problem were EDNS, would it be so intermittent and always fixable by rndc reload? > But, looking through the > code, if this is leading to lameness you will also get lame-servers >

one domain not resolving via response-policy zone

Hi List, I setup a response-policy zone to override some Records from external DNS-Servers I can't control. My db.rpz Zonefile: $TTL 4H @   IN  SOA localhost. kai.mydomain.com. (     2018012212  ; serial     5M  ;

Re: intermittent SERVFAIL for high visible domains such as *.google.com

Brian J. Murrell wrote: > > What do EDNS problem messages look like? Just something to grep for I > mean. They'll have a log category of edns-disabled. But, looking through the code, if this is leading to lameness you will also get lame-servers log messages. > > or

Re: intermittent SERVFAIL for high visible domains such as *.google.com

On Mon, 2018-01-22 at 12:04 +, Tony Finch wrote: > > That indicates that it has already marked the servers as lame, so the > packet trace isn't going to tell you what caused the lameness. OK. > The thing to look out for is the minutes before the outage starts - > see > what kind of failures

Re: intermittent SERVFAIL for high visible domains such as *.google.com

Brian J. Murrell wrote: > > that demonstrates how BIND is getting .com referrals from the root > servers when doing a query for www.google.com and then doing nothing > with those referrals before returning a SERVFAIL. That indicates that it has already marked the servers