Re: bind 9.7.2-P3 does not resolve www.microsoft.com
On 12/30/10 3:04 PM, Lightner, Jeff wrote: If qmail is open source then YOU can patch it to your heart's content and might even want to fork the project so you're maintaining it for others. Expecting BIND to hold itself back or patch itself for 1998 standards is a bit like expecting people that maintain websites to keep support for Mosaic. It's hard enough to get them to do it for Firefox, Chrome, Opera et al let alone going back to things ancient browsers did. I think Lazy was suggesting that we need another *qmail* patch, not a BIND patch. Note that qmail previously wouldn't accept any DNS response over 512 bytes, even if it was received via TCP. That is clearly broken behavior that has since been patched. However, there are still a bunch of unpatched qmail systems out there. I have found it much easier to tell qmail admins who can't resolve 'ANY berkeley.edu' to go get the latest patchset rather than engage them in the usual religious war. I *do* generally agree with your and Tony's points, but regardless of whether you think it's valid for qmail to be doing ANY queries to canonicalize email domains, the ANY query is a legitimate DNS query and it should be supported by authoritative servers. Moreover, TCP is REQUIRED by the DNS specs and it is NOT okay to block it. It's not okay to say "I don't really think that anyone should be querying for ANY microsoft.com, so I will allow such queries to break in an ungraceful way." We should be all the more concerned that a query of "TXT microsoft.com" yields a 494-byte answer, just 18 bytes away from being broken in the same manner. Legitimate non-qmail MTAs do need to do TXT queries for SPF and other records. At any rate, it may make sense to move this discussion over to dns-operations@, since we seem to be in agreement that this isn't a BIND problem. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
On Thu, 2010-12-30 at 22:42 +0100, Lazy wrote: > 2010/12/30 Tony Finch : > > On 30 Dec 2010, at 19:56, Lazy wrote: > >> > >> qmail uses ANY so m$ is not getting any mail from us > > > > This is several bugs in qmail. It is making the query in order to > > canonicalize the domain in outgoing email, which it does not need to do > > according to the current SMTP specs. It should be making an MX query (not > > CNAME as it originally did and not ANY as it has done since about 1998) in > > order to find out if the domain needs to be canonicalized. It also has an > > undersized DNS packet buffer and cannot cope with truncated replies, so > > even if ANY queries for microsoft.com worked, qmail could not handle the > > reply. > > > > Qmail is buggy and unmaintained and has been abandoned by its author. Best > > avoided. > > easy for you to say ;) > > there are still many more or less happy qmail users, maybe we need > just another patch ;) > I'm sure there's plenty of winblundaz 9(5|8) users out there who want some 'moderness' as well. Bind works as required, qmail does not, never did, and never will. > Regards > > Lazy no, I wont say it, I wont, no matter how much I want too! signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind 9.7.2-P3 does not resolve www.microsoft.com
If qmail is open source then YOU can patch it to your heart's content and might even want to fork the project so you're maintaining it for others. Expecting BIND to hold itself back or patch itself for 1998 standards is a bit like expecting people that maintain websites to keep support for Mosaic. It's hard enough to get them to do it for Firefox, Chrome, Opera et al let alone going back to things ancient browsers did. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Lazy Sent: Thursday, December 30, 2010 4:42 PM To: bind-users@lists.isc.org Subject: Re: bind 9.7.2-P3 does not resolve www.microsoft.com 2010/12/30 Tony Finch : > On 30 Dec 2010, at 19:56, Lazy wrote: >> >> qmail uses ANY so m$ is not getting any mail from us > > This is several bugs in qmail. It is making the query in order to canonicalize the domain in outgoing email, which it does not need to do according to the current SMTP specs. It should be making an MX query (not CNAME as it originally did and not ANY as it has done since about 1998) in order to find out if the domain needs to be canonicalized. It also has an undersized DNS packet buffer and cannot cope with truncated replies, so even if ANY queries for microsoft.com worked, qmail could not handle the reply. > > Qmail is buggy and unmaintained and has been abandoned by its author. Best avoided. easy for you to say ;) there are still many more or less happy qmail users, maybe we need just another patch ;) Regards Lazy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
2010/12/30 Tony Finch : > On 30 Dec 2010, at 19:56, Lazy wrote: >> >> qmail uses ANY so m$ is not getting any mail from us > > This is several bugs in qmail. It is making the query in order to > canonicalize the domain in outgoing email, which it does not need to do > according to the current SMTP specs. It should be making an MX query (not > CNAME as it originally did and not ANY as it has done since about 1998) in > order to find out if the domain needs to be canonicalized. It also has an > undersized DNS packet buffer and cannot cope with truncated replies, so even > if ANY queries for microsoft.com worked, qmail could not handle the reply. > > Qmail is buggy and unmaintained and has been abandoned by its author. Best > avoided. easy for you to say ;) there are still many more or less happy qmail users, maybe we need just another patch ;) Regards Lazy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
On 30 Dec 2010, at 19:56, Lazy wrote: > > qmail uses ANY so m$ is not getting any mail from us This is several bugs in qmail. It is making the query in order to canonicalize the domain in outgoing email, which it does not need to do according to the current SMTP specs. It should be making an MX query (not CNAME as it originally did and not ANY as it has done since about 1998) in order to find out if the domain needs to be canonicalized. It also has an undersized DNS packet buffer and cannot cope with truncated replies, so even if ANY queries for microsoft.com worked, qmail could not handle the reply. Qmail is buggy and unmaintained and has been abandoned by its author. Best avoided. Tony. -- f.anthony.n.finchhttp://dotat.at/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
2010/12/30 : > Zitat von Lazy : > >> 2010/12/30 Lazy : >>> >>> 2010/12/28 Dennis Clarke : >> trying to resolve www.microsoft.com or microsoft.com results in a >> "connection timed out; no servers could be reached" > > Well, for what it's worth - it's not just you having that issue. When > testing from home and from work I get the same. > works fine for me on linux and Solaris. >> >>> bind and powerdns-recursor seems to reply with all records for >>> microsoft.com they have, so if You earlier request for A and TXT you >> >> it looks like it's only powerdns, now I can't reproduce it using bind >> >> could someone who has "working" resolver try to restart, and do some >> ANY queries without cache ? > > With cache reset > Unbound 1.4.7 --> Timeout > Bind 9.7.2-P3 --> Timeout > > After doing some other queries for microsoft.com Bind does infact deliever > what it has, Unbound does not. Beside the fact that MS will get in trouble > if there first often used RRset will get bigger then 512Byte, why do you > need ANY queries at all? > qmail uses ANY so m$ is not getting any mail from us, for now I used zone "microsoft.com" and forward it to some dns that "works" Regards Lazy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
Le jeudi 30 décembre 2010 à 20:29 +0100, lst_ho...@kwsoft.de a écrit : > Zitat von Lazy : > > > 2010/12/30 Lazy : > >> 2010/12/28 Dennis Clarke : > >>> > > trying to resolve www.microsoft.com or microsoft.com results in a > > "connection timed out; no servers could be reached" > > Well, for what it's worth - it's not just you having that issue. When > testing from home and from work I get the same. > > >>> > >>> works fine for me on linux and Solaris. > > > >> bind and powerdns-recursor seems to reply with all records for > >> microsoft.com they have, so if You earlier request for A and TXT you > > > > it looks like it's only powerdns, now I can't reproduce it using bind > > > > could someone who has "working" resolver try to restart, and do some > > ANY queries without cache ? > > With cache reset > Unbound 1.4.7 --> Timeout > Bind 9.7.2-P3 --> Timeout > > After doing some other queries for microsoft.com Bind does infact > deliever what it has, Unbound does not. Beside the fact that MS will > get in trouble if there first often used RRset will get bigger then > 512Byte, why do you need ANY queries at all? > > Regards > > Andreas > > > hello sysadmins of bind. I just launched a test on the form of zonecheck afnic. Form air buggy it does not go to the end and is stuck on a problem of SOA 64.4.59.173 > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
Zitat von Lazy : 2010/12/30 Lazy : 2010/12/28 Dennis Clarke : trying to resolve www.microsoft.com or microsoft.com results in a "connection timed out; no servers could be reached" Well, for what it's worth - it's not just you having that issue. When testing from home and from work I get the same. works fine for me on linux and Solaris. bind and powerdns-recursor seems to reply with all records for microsoft.com they have, so if You earlier request for A and TXT you it looks like it's only powerdns, now I can't reproduce it using bind could someone who has "working" resolver try to restart, and do some ANY queries without cache ? With cache reset Unbound 1.4.7 --> Timeout Bind 9.7.2-P3 --> Timeout After doing some other queries for microsoft.com Bind does infact deliever what it has, Unbound does not. Beside the fact that MS will get in trouble if there first often used RRset will get bigger then 512Byte, why do you need ANY queries at all? Regards Andreas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
2010/12/30 Lazy : > 2010/12/28 Dennis Clarke : >> trying to resolve www.microsoft.com or microsoft.com results in a "connection timed out; no servers could be reached" >>> >>> Well, for what it's worth - it's not just you having that issue. When >>> testing from home and from work I get the same. >>> >> >> works fine for me on linux and Solaris. > bind and powerdns-recursor seems to reply with all records for > microsoft.com they have, so if You earlier request for A and TXT you it looks like it's only powerdns, now I can't reproduce it using bind could someone who has "working" resolver try to restart, and do some ANY queries without cache ? -- Lazy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
2010/12/28 Dennis Clarke : > >>> trying to resolve www.microsoft.com or microsoft.com results in a >>> "connection timed out; no servers could be reached" >> >> Well, for what it's worth - it's not just you having that issue. When >> testing from home and from work I get the same. >> > > works fine for me on linux and Solaris. how does dig ANY microsoft.com looks on your site ? when I query ie google's public dns resolver I get $ dig ANY microsoft.com @8.8.8.8 ; <<>> DiG 9.6-ESV-R3 <<>> ANY microsoft.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52638 ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;microsoft.com. IN ANY ;; ANSWER SECTION: microsoft.com. 3185IN A 207.46.197.32 microsoft.com. 3185IN A 207.46.232.182 microsoft.com. 85985 IN NS ns4.msft.net. microsoft.com. 85985 IN NS ns5.msft.net. microsoft.com. 85985 IN NS ns1.msft.net. microsoft.com. 85985 IN NS ns2.msft.net. microsoft.com. 85985 IN NS ns3.msft.net. microsoft.com. 3185IN SOA ns1.msft.net. msnhst.microsoft.com. 2010122201 300 600 2419200 3600 microsoft.com. 3185IN MX 10 mail.messaging.microsoft.com. microsoft.com. 3185IN TXT "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ==" ;; Query time: 36 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Dec 30 17:07:20 2010 ;; MSG SIZE rcvd: 336 this is missing second TXT spf record bind and powerdns-recursor seems to reply with all records for microsoft.com they have, so if You earlier request for A and TXT you get A and TXT from your local resolver despite that m$ servers sent truncated answers for ANY queries that got ignored by bind, and didn't provide TCP so I guess all you see is Your local cache made form previous non ANY queries Response for dig ANY microsoft.com varies significantly across dns servers, sometimes we get TXT records, sometime we don't, some don't have SOA ect. -- Lazy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
Dnia 2010-12-29 13:55 T. Wunderlich napisał(a): >Thanks a lot for all your suggestions. I haven't found a solution yet, but found something >which got my attention: > >Have a look at the TTL of the following CNAME entries. > >What happens when the lookup lasts longer than those 57 seconds? Maybe named will get >in trouble then? Wow, a lookup that takes more than 57 seconds? Now that's a lng query, even on a busy server. Anyway, if you happen to ask the server second time after 56 seconds, than that's more probable. I guess it should work correctly nonetheless. > >AND what do the RFC say about those CNAME chains? CNAME points to a CNAME? It's not incorrect, but discouraged. See http://tools.ietf.org/html/rfc1034, last two paragraphs of section 3.6.2 Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
Thanks a lot for all your suggestions. I haven't found a solution yet, but found something which got my attention: Have a look at the TTL of the following CNAME entries. What happens when the lookup lasts longer than those 57 seconds? Maybe named will get in trouble then? AND what do the RFC say about those CNAME chains? CNAME points to a CNAME? As I wrote, my DNS server is quite busy and the trouble does not happen when it has no load at all (copied VM). Thanks Thilo PS: I circumvented the trouble with a forward of microsoft.com to my other nameserver (bind 9.3.2 btw) which is able to resolve it without a problem. --- dig www.microsoft.com @localhost ; <<>> DiG 9.7.2-P3 <<>> www.microsoft.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18589 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 11, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.microsoft.com. IN A ;; ANSWER SECTION: www.microsoft.com. 3582IN CNAME toggle.www.ms.akadns.net. toggle.www.ms.akadns.net. 57IN CNAME g.www.ms.akadns.net. g.www.ms.akadns.net.57 IN CNAME lb1.www.ms.akadns.net. lb1.www.ms.akadns.net. 282 IN A 65.55.12.249 ;; AUTHORITY SECTION: akadns.net. 172782 IN NS zd.akadns.org. akadns.net. 172782 IN NS ze.akadns.net. akadns.net. 172782 IN NS zf.akadns.net. akadns.net. 172782 IN NS eur1.akadns.net. akadns.net. 172782 IN NS use3.akadns.net. akadns.net. 172782 IN NS use4.akadns.net. akadns.net. 172782 IN NS usw2.akadns.net. akadns.net. 172782 IN NS asia9.akadns.net. akadns.net. 172782 IN NS za.akadns.org. akadns.net. 172782 IN NS zb.akadns.org. akadns.net. 172782 IN NS zc.akadns.org. ;; ADDITIONAL SECTION: za.akadns.org. 21582 IN A 96.6.112.198 zb.akadns.org. 21582 IN A 64.211.42.194 zc.akadns.org. 21582 IN A 124.40.52.133 zd.akadns.org. 21583 IN A 72.246.46.4 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 29 13:38:06 2010 ;; MSG SIZE rcvd: 395 -- EUROIMMUN AG Thilo Wunderlich IT-Technik Werkstrasse 2-22 23942 Dassow Tel: +49 451 58 55-40614 Fax: +49 451 58 55-24359 www.euroimmun.de -- Das Impressum der EUROIMMUN AG Deutschland finden Sie unter www.euroimmun.de/impressum.htm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
Ok, trying to send the same email third time, maybe it will get to the right recipient and with the right subject at last. Damn webmail, damn trying to resend from thunderbird. Dnia 2010-12-28 09:26 Eivind Olsen napisał(a): >> >> trying to resolve www.microsoft.com or microsoft.com results in a >> >> "connection timed out; no servers could be reached" >> > > > >Well, for what it's worth - it's not just you having that issue. When > >testing from home and from work I get the same. > > > >Of course, I could be doing something wrong, but whenever I see an error I > >like to imagine it's somebody elses fault :D > > > >One of the nameservers for microsoft.com is ns1.msft.net with an IP > >address of 65.55.37.62. For some reason the response I get from it is > >truncated, and retrying using TCP doesn't work. Using EDNS0 also doesn't > >seem to work, I get FORMERR back: > [cut long listing of DNS tries] Same here, I cannot reach this server with TCP or EDNS, nor get longer replies (al with dig), nor can bind resolve it locally (although it works with simple A query) Confirmed, I can get TCP and EDNS replies from a.ns.se Gentoo, bind version 9.7.2_p3, server located somewhere in France, in OVH network. > >So, to recap: at the risk of showing what a fool I am by doing something > >completely wrong here, I'm betting Microsoft has messed up their DNS - I > >would have expected queries over TCP to work, and I would not have > >expected EDNS to give a FORMERR (but ok, if a nameserver doesn't implement > >EDNS, giving a FORMERR is apparantly the right thing to do). > Not being a bind expert myself (but having read and hopefully understood the RFC's) I have to agree with it. And, having other issues with Microsoft DNS server myself (althoug this could be the lameness of it's admins as well), I don't have a hard time believing this. Although, if it works when VM is duplicated but has no traffic, it looks like something else to me (maybe two completely different errors, but with similar apperance) Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
Michael Sinatra wrote: > On 12/28/10 06:07, Lightner, Jeff wrote: >> It's working fine for me from RHEL5 Linux DNS servers and from Windows >> DNS servers. > > It's not clear from this thread whether 'dig any microsoft.com > @ns[12345].msft.net' works for anyone. I cannot get it to work from > any of the msft.net servers on clients on the east and west coasts of > the US, with different paths. If anyone can get this to work, *from* > one of the msft.net servers, that's worth noting. > > I can effectively prime a cache by querying for microsoft.com NS, SOA, > TXT, A, etc., and then querying my cache for ANY. The 'ANY' response I > get back from cache is 639 bytes. A TXT query alone returns a response > of 494 bytes, including authority. > > This looks broken on Microsoft's part. > > michael > >From the Chicago area, I get 'Truncated, retrying in TCP mode' and then a connection timeout when doing: dig any microsoft.com @ns[12345].msft.net This however works: dig any www.microsoft.com @ns[12345].msft.net But it returns a cname entry to toggle.www.ms.adadns.net A traceroute shows our traffic hitting Level3's backbone in Chicago. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
On 12/28/10 06:07, Lightner, Jeff wrote: It's working fine for me from RHEL5 Linux DNS servers and from Windows DNS servers. It's not clear from this thread whether 'dig any microsoft.com @ns[12345].msft.net' works for anyone. I cannot get it to work from any of the msft.net servers on clients on the east and west coasts of the US, with different paths. If anyone can get this to work, *from* one of the msft.net servers, that's worth noting. I can effectively prime a cache by querying for microsoft.com NS, SOA, TXT, A, etc., and then querying my cache for ANY. The 'ANY' response I get back from cache is 639 bytes. A TXT query alone returns a response of 494 bytes, including authority. This looks broken on Microsoft's part. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
On 12/28/10 00:26, Eivind Olsen wrote: So, to recap: at the risk of showing what a fool I am by doing something completely wrong here, I'm betting Microsoft has messed up their DNS - I would have expected queries over TCP to work, and I would not have expected EDNS to give a FORMERR (but ok, if a nameserver doesn't implement EDNS, giving a FORMERR is apparantly the right thing to do). Yes, see section 5.3 of RFC 2671, which defines EDNS. FORMERR is one of the expected responses for a server that doesn't support EDNS. 'dig any microsoft.com' likely results in an answer that exceeds 512 bytes. In such a situation, if either the server or the client do not support EDNS0, they must fall back to TCP. Microsoft either has (incorrectly) not implemented TCP on their nameservers, or is (incorrectly) blocking it at some intermediate firewall. Name servers are NOT allowed to NOT implement TCP. This is a good counter-example to those folks who periodically post to this list asking why they shouldn't be blocking TCP/53 at some firewall in front of their nameserver. As we can see, TCP can be necessary to properly resolve domain names. In other words, you are correct (and you do not appear to be doing something wrong): Microsoft has messed up their DNS. Moreover, the problem is not limited to resolvers running BIND. I can replicate the issue on a server running unbound 1.4.6. 'dig any microsoft.com' will easily replicate the error. The question remains as to why simply trying to resolve microsoft.com (i.e. the A record) caused truncation and fallback to TCP. In all cases I have tried, this record resolves. For the original poster, it's a good idea to double-check that YOUR server is capable of receiving answers longer that 512 bytes. Later versions of BIND will set the DO bit on queries and this will result in longer answers (e.g. in order to resolve the ns[12345].msft.net servers so that they can be queried). 'dig any berkeley.edu' is one way to test this out...:) michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind 9.7.2-P3 does not resolve www.microsoft.com
It's working fine for me from RHEL5 Linux DNS servers and from Windows DNS servers. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Eivind Olsen Sent: Tuesday, December 28, 2010 4:16 AM To: bind-users@lists.isc.org Subject: Re: bind 9.7.2-P3 does not resolve www.microsoft.com > works fine for me on linux and Solaris. In my case it's using FreeBSD and Solaris. The problem might be related to where you do queries from? Anyway, I tried some other nameservers / "looking glass" sites, like these - I can't vouch for how good they normally are, but these were ones I found when searching for "dns looking glass": http://looking-glass.taide.net/ I can look up other domains fine, but when looking up "microsoft.com" it comes back with: connection timed out; no servers could be reached http://ipdnstools.com/ It times out when I do a "Get DNS Records" query for "microsoft.com" When testing for yourself, please keep in mind that limited queries seem to work fine (like, asking for A records, or MX), but doing any-queries which give everything seems to fail. Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
> works fine for me on linux and Solaris. In my case it's using FreeBSD and Solaris. The problem might be related to where you do queries from? Anyway, I tried some other nameservers / "looking glass" sites, like these - I can't vouch for how good they normally are, but these were ones I found when searching for "dns looking glass": http://looking-glass.taide.net/ I can look up other domains fine, but when looking up "microsoft.com" it comes back with: connection timed out; no servers could be reached http://ipdnstools.com/ It times out when I do a "Get DNS Records" query for "microsoft.com" When testing for yourself, please keep in mind that limited queries seem to work fine (like, asking for A records, or MX), but doing any-queries which give everything seems to fail. Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
>> trying to resolve www.microsoft.com or microsoft.com results in a >> "connection timed out; no servers could be reached" > > Well, for what it's worth - it's not just you having that issue. When > testing from home and from work I get the same. > works fine for me on linux and Solaris. -- Dennis Clarke dcla...@opensolaris.ca <- Email related to the open source Solaris dcla...@blastwave.org <- Email related to open source for Solaris ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
> trying to resolve www.microsoft.com or microsoft.com results in a > "connection timed out; no servers could be reached" Well, for what it's worth - it's not just you having that issue. When testing from home and from work I get the same. Of course, I could be doing something wrong, but whenever I see an error I like to imagine it's somebody elses fault :D One of the nameservers for microsoft.com is ns1.msft.net with an IP address of 65.55.37.62. For some reason the response I get from it is truncated, and retrying using TCP doesn't work. Using EDNS0 also doesn't seem to work, I get FORMERR back: [eiv...@vimes ~]$ /usr/local/bin/dig any microsoft.com @65.55.37.62 ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.7.2-P2 <<>> any microsoft.com @65.55.37.62 ;; global options: +cmd ;; connection timed out; no servers could be reached [eiv...@vimes ~]$ /usr/local/bin/dig +edns=0 any microsoft.com @65.55.37.62 ; <<>> DiG 9.7.2-P2 <<>> +edns=0 any microsoft.com @65.55.37.62 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 6660 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;microsoft.com. IN ANY ;; Query time: 205 msec ;; SERVER: 65.55.37.62#53(65.55.37.62) ;; WHEN: Tue Dec 28 09:10:55 2010 ;; MSG SIZE rcvd: 42 [eiv...@vimes ~]$ Doing queries that give shorter answers work fine - look at these, notice the big (but still small enough) TXT reply, and then see how it fails on a query for "any": [eiv...@vimes ~]$ /usr/local/bin/dig +short any www.microsoft.com @65.55.37.62 toggle.www.ms.akadns.net. [eiv...@vimes ~]$ /usr/local/bin/dig +short mx www.microsoft.com @65.55.37.62 toggle.www.ms.akadns.net. [eiv...@vimes ~]$ /usr/local/bin/dig +short mx microsoft.com @65.55.37.62 10 mail.messaging.microsoft.com. [eiv...@vimes ~]$ /usr/local/bin/dig +short txt microsoft.com @65.55.37.62 "v=spf1 mx include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com ip4:131.107.115.212 ip4:131.107.115.215 ip4:131.107.115.214 ip4:205.248.106.64 ip4:205.248.106.30 ip4:205.248.106.32 ~all" "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ==" [eiv...@vimes ~]$ /usr/local/bin/dig +short any microsoft.com @65.55.37.62 ;; Truncated, retrying in TCP mode. ;; connection timed out; no servers could be reached [eiv...@vimes ~]$ And in general, I don't have problems with EDNS0 or using TCP to look up other domains with big replies, for example I can use both both of these commands just fine: /usr/local/bin/dig +edns=0 any se. @a.ns.se /usr/local/bin/dig +vc any se. @a.ns.se So, to recap: at the risk of showing what a fool I am by doing something completely wrong here, I'm betting Microsoft has messed up their DNS - I would have expected queries over TCP to work, and I would not have expected EDNS to give a FORMERR (but ok, if a nameserver doesn't implement EDNS, giving a FORMERR is apparantly the right thing to do). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.7.2-P3 does not resolve www.microsoft.com
I have a problem with a bind 9.7.2-P3 (selfcompiled) on a SLES 11.0 machine. It acts as master for several domains and as resolver for users in our network. The machine is running as a VM on an ESX server. trying to resolve www.microsoft.com or microsoft.com results in a "connection timed out; no servers could be reached" all other domains (as far as I know) work fine. --- dig microsoft.com @localhost ; <<>> DiG 9.7.2-P3 <<>> microsoft.com @localhost ;; global options: +cmd ;; connection timed out; no servers could be reached - but using +trace I'll get a result: dig +trace microsoft.com @localhost ; <<>> DiG 9.7.2-P3 <<>> +trace microsoft.com @localhost ;; global options: +cmd . 454737 IN NS h.root-servers.net. . 454737 IN NS i.root-servers.net. . 454737 IN NS j.root-servers.net. . 454737 IN NS k.root-servers.net. . 454737 IN NS l.root-servers.net. . 454737 IN NS m.root-servers.net. . 454737 IN NS a.root-servers.net. . 454737 IN NS b.root-servers.net. . 454737 IN NS c.root-servers.net. . 454737 IN NS d.root-servers.net. . 454737 IN NS e.root-servers.net. . 454737 IN NS f.root-servers.net. . 454737 IN NS g.root-servers.net. ;; Received 260 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. ;; Received 503 bytes from 198.41.0.4#53(a.root-servers.net) in 42 ms microsoft.com. 172800 IN NS ns3.msft.net. microsoft.com. 172800 IN NS ns1.msft.net. microsoft.com. 172800 IN NS ns5.msft.net. microsoft.com. 172800 IN NS ns2.msft.net. microsoft.com. 172800 IN NS ns4.msft.net. ;; Received 209 bytes from 192.54.112.30#53(h.gtld-servers.net) in 18 ms microsoft.com. 3600IN A 207.46.232.182 microsoft.com. 3600IN A 207.46.197.32 ;; Received 63 bytes from 65.55.37.62#53(ns1.msft.net) in 175 ms I have duplicated this virtual machine while trying to find out whats going on and it did resolve then - but without traffic from our users. But as soon as I try this on the real DNS server and it gets requests from users, microsoft.com won't resolve. How can I debug this problem further? I have experimented with "max-cache-size" but didn't help. How can I see how much memory bind uses for the cache at the moment? Thanks a lot Thilo -- Das Impressum der EUROIMMUN AG Deutschland finden Sie unter www.euroimmun.de/impressum.htm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users